ML20294A107
| ML20294A107 | |
| Person / Time | |
|---|---|
| Issue date: | 10/07/2020 |
| From: | NRC/OCIO |
| To: | |
| Shared Package | |
| ML20294A094 | List: |
| References | |
| FOIA, NRC-2018-000103 | |
| Download: ML20294A107 (132) | |
Text
From:
Sent:
To:
Subject:
Follow Up Flag:
Flag Status:
McAndrew, Sara Monday, June 06. 2016 1:28 PM Gagnon, Ronald RE: Draft SUNSI responses Follow up Flagged
- Ron, Thank you for your quick tum around. !
1,~1(5)
Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 From: Gagnon, Ronald Sent: Monday, June 06, 2016 12:31 PM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick
<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>;
Rheaume, Cynthia <Cynthia.Rheaume@nrc.gov>
Subject RE: Draft SUNSI responses
- Sara, Thank you for the quick response. I _(b_J(5_) _________________
1*
Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Monday, June 06, 2016 11 :50 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick
<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>
Subject:
RE: Draft SUNS! responses
(b)(5)
Thanks for your help, Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 From: Gagrnon, Ronald Sent: Monday, June 06, 2016 11:10 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>
Subject:
RE: SUNSI responses Good morning Sara, Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United Stat-es Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Gagnon, Ronald Sent: Tuesday, May 31, 2016 7:29AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Subject:
RE: SUNSI responses Good morning Sara, Let me know if you have a few minutes to meet when you get in today.
Thank you, Ron 2
Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Wednesday, May 25, 2016 4:25 PM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Subject:
SUNSI responses EQnJ
... ~
)(S....
) _ __.! Thank you.
Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 3
From:
Sent:
To:
Cc:
Subject:
Follow Up Flag:
Flag Status:
Correia, Richard Thursday, June 09, 2016 12:44 PM Gagnon, Ronald McAndrew, Sara; Janney, Margie; Le, Hong; Rheaume, Cynthia RE: Draft SUNSI responses Follow up Flagged Many thanks Ron. Appreciate your great support.
Best Rich Richard P. Correia, P.E.
Director, Division of Risk Analysis Office of Nuclear Regulatory Research U.S. NRC From: Gagnon, Ronald Sent: Wednesday, June 08, 2016 9:02 AM To: Correia, Richard <Richard.Correia@nrc.gov>
Cc: McAndrew, Sara <Sara.McAndrew@nrc.gov>; Janney, Margie <Margie.Janney@nrc.gov>; Le, Hong
<Hong.Le@nrc.gov>; Rheaume, Cynthia <Cynthia.Rheaume@nrc.gov>
Subject:
RE: Draft SUNSI responses Good morning Rich, I agree that the information will be a good resource for NRC employees. I'll forward your proposal to the OCIO leadership team for their input / action. Please copy me with your response to the employee.
Thank you for your assistance.
Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Correia, Richard Sent: Wednesday, June 08, 2016 8:48 AM
To: Gagnon, Ronald <Ronald.Gagnon@nrc.9011>
Cc: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Subject:
FW: Draft SUNSI responses attorney client privileged information attorney work product Good morning Ron, (b)(5)
Best Rich Richard P. Correia, P.E.
Director, Division of Risk Analysis Office of Nuclear Regulatory Research U.S. NRC From: McAndrew, Sara Sent: Monday, June 06, 2016 1:31 PM To: Correia, Richard <Richard.Correia@nrc.gov>
Cc: Weber, Michael <Michael.Weber@nrc.gov>
Subject:
FW: Draft SUNSI responses attorney client privileged information attorney work product Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 From: Gagnon, Ronald Sent: Monday, June 06, 2016 12:31 PM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick
<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>;
Rheaume, Cynthia <Cynthia.Rheaume@nrc.gov>
Subject:
RE: Draft SUNSI responses
- Sara, Thank you for the quick response. l_(b-)(5_i _________________ _
2
Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H 11 Rockville, MO 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Monday, June 06, 201611:50 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick
<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>
Subject:
RE: Draft SUNSI responses attorne client privile ed information attome work product Ron, (b)(5)
Thanks for your help, Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 From: Gagnon, Ronald Sent: Monday, June 06, 2016 11 :10 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>
Subject:
RE: SUNSI responses Good morning Sara, Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 3
Rockville, MD 20852 Office: 301-415-687 3 From: Gagnon, Ronald Sent: Tuesday, May 31, 2016 7:29 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Subject:
RE: SUNSI responses Good morning Sara, Let me know if you have a few minutes to meet when you get in today.
Thank you, Ron Ronald E. Gagnon OCIO / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Wednesday, May 25, 2016 4:25 PM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Subject:
SUNSI responses
~
Wl5Lii.:.
(b)~5~---fThank you.
Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 4
From:
Sent To:
Subject:
Thanks, Ron From: Gagnon, Ronald Weber, Michael Monday, June 06, 2016 3:48 PM Gagnon, Ronald RESPONSE - Draft SUNSI responses Sent: Monday, June 06, 2016 12:31 PM To: McAndrew, Sara <Sara.McAndr-ew@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick
<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>;
Rheaume, Cynthia <Cynthia.Rheaume@nrc.gov>
Subject:
RE: Draft SUNSI resoonses
- Sara, Thank you for the quick response....
l(b-)(_5l _________________ __.
Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Monday, June 06, 201611:50 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>: Weber, Michael <Mlchael.Weber@nrc.gov>: Brown, Frederick
<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>
Subject:
RE: Draft SUNSI responses Thanks for your help, Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66
From: Gagnon, Ronald Sent: Monday, June 06, 2016 11:10 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>
Subject:
RE: SUNS! responses Good morning Sara, 1~)(5)
Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Gagnon, Ronald Sent: Tuesday, May 31, 2016 7:29 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Subject:
RE: SUNSI responses Good morning Sara, Let me know if you have a few minutes to meet when you get in today.
Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Wednesday, May 25, 2016 4:25 PM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
2
Subject:
SUNSI responses
~
Ll,;~...;
5;;.,_... _ __.IThank you.
Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 3
From:
Sent:
To:
Cc:
Subject:
Attachments:
McAndrew, Sara Monday, June 06, 2016 11:50 AM Gagnon, Ronald Janney, Margie; Weber, Michael; Brown, Frederick; Correia, Richard RE: Draft SUNSI responses The 2-page draft attachment has been withheld in full SUNS! answers sent to 000 June 6.docx on the basis of FOIA exemption 5.
attorney client privileged information attorney work product Ron, Thanks for your help, Sara Sara McAndrew Senior Attorney 301 -287-0976 OWFN15A66 From: Gagnon, Ronald Sent: Monday, June 06, 201611:10 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc_gov>
Subject:
RIE: SUNSI responses Good morning Sara, Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 !Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Gagnon, Ronald Sent: Tiuesday, May 31, 2016 7:29 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>
Subject:
RE: SUNSI responses Good morning Sara, Let me know if you have a few minutes to meet when you get in today.
Thank you, Ron Ronald E. Gagnon OCIO I PMPD / I PB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop 0-6H 11 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Wednesday, May 25, 20164:25 PM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Subject:
SUNSI responses
~
ll-~~
)(S,_
) --~hank you.
Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 2
From:
Sent:
To:
Cc:
Subject:
Follow Up Flag:
Flag Status:
Rheaume, Cynthia Friday, May 27, 2016 12:42 PM Le, Hong; Gagnon, Ronald Janney, Margie; Flanagan, James RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNS!
Follow up Flagged All - no need to coordinate with the IG, as clarified by Jim this AM. He would like for OGC to handle all further communications.
From: Flanagan, James Sent: Friday, May 27, 201611:39 AM To: Rheaume, Cynthia; Le, Hong ; Gagnon, Ronald Cc: Janney, Margie
Subject:
RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Yes, please discuss with OGC and have them frame a response. This email exchange is likely to get argumentative and it is not something that we wish to continue to engage in. Before we send anything back to this individual please connect with Fred so that he can review Thank you, James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike, Mail Stop O-6E7 A Rockville, MD 20852-2738 Telephone 301-41 5-8700 James.Flanagan@nrc.gov From: Rheaume, Cynthia Sent: Friday, May 27, 2016 11:17 AM To: Le, Hong <Hong.Le@nrc.gov>; Gagnon, Ronald <Ronald.Ga_no~
nrc.gov>
Cc: Flanagan, James <James.Flana.1 anJ)nrc.gov>; Janney, Margie <MargieJanney@nrc.gov>
Subject:
RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNS!
Jim - I thought I heard you say you also wanted us to coordinate with the IG, correct?
From: Le, Hong Sent: Friday, May 27, 201610:10 AM
To: Gagnon, Ronald <Ronald.Ga&._non@.rrc..gov>
Cc: Rheaume, Cynthia <Cynthia.Rheaume~Jnrc.gov>; Flanagan, James <James.Flanagan@nrc.E,ov>; Janney, Margie
<Margie.Janney@nrc.gov>
Subject:
Re: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Ron - please do not respond. We need to consult with Fred/Jim and/or OGC.
On: 27 May 2016 I 0:04, "Criscione, Lawrence" <Lawrence.C'riscione@nrc.g~w> wrote:
- Ron, Regarding your answer to Question 1, I still do not understand if bargaining unit personnel are allowed to discuss SUNSI with any colleague whose opinion they so choose to seek. It would be most helpful if, when answering question 1, you begin your answer with a "Yes" or a "No".
Regarding your answer to Question 2, neither your answer nor the Yellow Announcement you refer me to contain any information that would allow me to determine which colleagues cannot know of SUNSI nuclear safety concern. Please explain to me how I am to determine which colleagues cannot know of SUNSI nuclear safety concern.
Regarding you answer to Question 3, are you stating that employees must go through the Office of Congressional Affairs prior to providing Information to Congress and cannot directly provide information to Congress on their own? If not, please clearly state.
Regarding your answer to Question 4, with whom in OCA and OGC should I address my questions?
My questions are straight forward questions and I would appreciate straight forward answers. If you a re not comfortable answering my questions in a clear and concise manner, that should tell you something about our policies.
Thank you, Larry From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:23 PM To: Criscione, Lawrence <bawrenc~.Criscione(@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Flanagan, James <James.Flana,an@nrc.eov>; Carpenter, Cynthia
<Cynthia.Carpenter@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Mlng.Chel'J..@nrc.gov>; Hackett, Edwin <_Edwin.Hackett@nrc.gov>; Correia, Richard <Richard.Correiat1lnrc.gov>; Peters, Sean <Se_an.Peters(iunrc.fil)v>;
Heard, Robert <Robert.Heard.@nrq.~ov>; Schwartz, Maria <Maria.Schwartu nrq:ov>; NTEU, Chapter 208
<NTF.U@nrc.gov>; Weber, Michael <Michael.Weber:-!!.!:.C. ~ov>
Subject:
Who Determines Need-To-Know for QUO?
Mr. Criscione:
You inquired regarding the following:
- 1. Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
2
Question 1: Are bargaining unit employees allowed to discuss SUNSI (I.e. Information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
Reply: NRC SUNSI Policy clearly states that... "except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business." See below:
NRC Policy For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information section 0(2) - Need to know access See: http:l/www.internal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business.
Question 2: If not, how Is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?
Reply: The NRC recently published a yellow announcement addressing this issue. See https://drupal..,nrc.gov/announcernents/yellow/policy/23578 Yellow Announcement YA 16-0052 defines "Need to Know" in the context of sensitive unclassified information.
See Below:
Need-to-Know
- 1. A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.
Question 3: Is there any SUNS/ material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
Reply: The NRC's Office of Congressional Affairs (OCA) (see MD 9.13) is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance to the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office-
- Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.
- Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individual members of Congress with respect to matters of interest and concern to NRC.
- Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for 3
those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.
- Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a routine nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EDO.
- Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.
- Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.
- Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chai1rman, the Commission, and the NRC staff, as appropriate.
- Participates in planning and developing NRC's legislative program in close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.
- Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.
- Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.
- Performs any other functions assigned by the Chairman.
Question 4: If so, who makes that determination?
Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.
Please let me know if you have additional questions or concerns.
Ronald E. Gagnon SUNSI / CUI Program Manager Office of the Chief Information Officer IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 4
From:
Sent:
To:
Cc:
Subject:
Attachments:
Follow Up Flag:
Flag Status:
Flanagan, James Friday, May 27, 2016 11:42 AM Rheaume, Cynthia; Le, Hong; Gagnon, Ronald Janney, Margie RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNS!
RE: FYI - Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Follow up Flagged Also. the OGC point of contact 1s attached. Please mark all "Attorney Client Privilege" from this point forward.
- Regards, James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike, Mail Stop O-6E7A Rockville, MD 20852-2738 Telephone 301-415-8700 James.Flanagan@nrc.gov From: Flanagan, James Sent: Friday, May 27, 201611:39 AM To: Rheaume, Cynthia ; Le, Hong; Gagnon, Ronald Cc: Janney, Margie
Subject:
RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Yes, please discuss with OGC and have them frame a response. This email exchange is likely to get argumentative and it is not something that we wish to continue to engage in. Before we send anything back to this individual please connect with Fred so that he can review.
Thank you, James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission1 One White Flint North 11555 Rockville Pike, Mail Stop O-6E7 A Rockville, MD 20852-2738
Telephone 301-415-8700 James.Flanagan@nrc.gov From: Rheaume, Cynthia Sent: Friday, May 27, 201611:17 AM To: Le, Hong; Gagnon, Ronald Cc: Flanagan, James; Janney, Margie
Subject:
RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Jim - I thought I heard you say you also wanted us to coordinate with the IG, correct?
From: Le, Hong Sent: Friday, May 27, 201610:10 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.goV>
Cc: Rheaume, Cynthia <Cynthia.Rheaume~
ov>; Flanagan, James <Jar:nes.Flana..l@.D.@rlrc,Bov>; Janney, Margie
<Margie.Janney@nrc.gov>
Subject:
Re: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Ron - please do not respond We need to consult with Fred/Jim and/or OGC.
On: 27 May 2016 10:04, "Criscione, Lawrence" <Lawrence.Criscionc/((lnrcJ:m.v> wrote:
- Ron, Regarding your answer to Question 1, I still do not understand if bargaining unit personnel are allowed to discuss SUNSI with any colleague whose opinion they so choose to seek. It would be most helpful if, when answering question l, you begin your answer with a "Yes" or a "No".
Regarding your answer to Question 2, neither your answer nor the Yellow Announcement you refer me to contain any information that would allow me to determine which colleagues cannot know of SUNSI nuclear safety concern. Please explain to me how I am to determine which colleagues cannot know of SUNSI nuclear safety concern.
Regarding you answer to Question 3, are you stating that employees must go through the Office of Congressional Affairs prior to providing information to Congress and cannot directly provide information to Congress on their own? If not, please clearly state.
Regarding your answer to Question 4, with whom in OCA and OGC should I address my questions?
My questions are straight forward questions and I would appreciate straight forward answers. If you are not comfortable answering my questions in a clear and concise manner, that should tell you something about our policies.
Thank you, Larry From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:23 PM To: Criscione, Lawrence <Lawrence.Criscionecwnrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Flanagan, James <James.Flanag_an~ nrc.f...ov>; Carpenter, Cynthia 2
<Cynthia.Carpenter..@nrq~ov>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Min.ChenJ!£nrq ov>; Hackett, Edwin <Edwin.Hackett(wnrc.gov>; Correia, Richard <Richard.Correia@, nrc.gov>; Peters, Sean <Sean.Peters(wnrc.gov>;
Heard, Robert <Robert.Heard(ronrc..,ov>; Schwartz, Marla <Maria.Schwartz~ nrc.1 ov>; NTEU, Chapter 208
<NTEU@nrc.gov>; Weber, Michael <Michael.Weber@nrc._&ov>
Subject:
Who Determines Need-To-Know for OUO?
Mr. Criscione:
You inquired regarding the following:
- 1. Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNS! material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
Question 1: Are bargaining unit employees allowed to discuss SUNS/ (I.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
Reply: NRC SUNS! Policy clearly states that..."except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNS! unless that person has an established need-to-know the information for conducting official business.* See below:
NRC Policy For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards lnfonnation section 0(2)- Need to know access See: http://www.internal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNS! unless that person has an established need-to-know the information for conducting official business.
Question 2: If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?
Reply: The NRC recently published a yellow announcement addressing this issue. See https://drupal.nrc.gov/announcements/yellow/policy/23578 Yellow Announcement YA 16-0052 defines "Need to Know" in the context of sensitive unclassified information.
See Below:
Need-to-Know
- 1. A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.
3
Question 3: /s there any SUNS/ material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to, staff of the US Office of Spec/al Counsel?
Reply: The NRC's Office of Congressional Affairs (OCA) (see MD 9.13) is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance to the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office-
- Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.
- Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individual members of Congress with respect to matters of interest and concern to NRC.
- Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.
- Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a r,outine nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EDO.
- Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, dr.afting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.
- Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.
- Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.
- Participates in planning and developing NRC's legislative program in close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.
- Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.
- Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.
- Performs.any other functions assigned by the Chairman.
Question 4: If so, who makes that determination?
Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.
Please let me know if you have additional questions or concerns.
4
Ronald E. Gagnon SUNSI / CUI Program Manager Office of the Chief Information Officer IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 5
From:
Sent To:
Cc:
Subject:
McAndrew, Sara Friday, May 27, 2016 10:41 AM Flanagan, James Gagnon, Ronald; Maxin, Mark; Weber, Michael; Correia, Richard; Thaggard, Mark RE: FYI - Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNS!
Attorney clien~t..EP~ri~vi~le~,a~1e:.__ ___________________________ 7 Thanks, Jim.\\
(b)(5), (b)(6)
(b)(5)
Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 From: Flanagan, James Sent: Friday, May 27, 2016 10:15 AM I
To: Weber, Michael <Michael.Weber@nrc.gov>; Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: McAndrew, Sara <Sara.McAndrew@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Thaggard, Mark <Marll<.Thaggard@nrc.gov>; Brown, Frederiol< <Frederick.Brown@nrc.gov>; Janney, Margie
<Margie.Janney@nrc.gov>
Subject:
RE: FYI - Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNS!
- Mike, Thank you, Hong Le, his manager had provided similar guidance. We will not be responding until OGC provides further insight.
Thank you, James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike, Mail Stop O-6E7A Rockville, MD 20852-2738 Telephone 301-415-8700
James.Flanagan@nrc.gov From: Weber, Michael Sent: Friday, May 27, 201610:14AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: McAndrew, Sara <Sara.McAndrew@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Thaggard, Mark <Mark.Thaggard@nrc.gov>; Brown, Frederick <Frederick.Brown@nrc.gov>; Flanagan, James
<James.Flanagan@nrc.gov>; Janney, Margie <Margie.Janney@nrc.gov>
Subject:
FYI - Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Good morning, Ron. Before you consider responding, suggest that you touch base with Sara McAndrew in OGC. Sara has been assisting us on questions like these from Larry Thanks From: Criscione, Lawrence Sent: Friday, May 27, 2016 10:05 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Flanagan, James <James.Flanagan@nrc.gov>; Carpenter, Cynthia <Cynthia.Carpenter@nrc.gov>; Le, Hong <Hong.le@nrc.gov>; Chen, Yen-Ming <Yen-Ming.Chen@nrc.gov>; Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard
<Richard.Correia@nrc.gov>; Peters, Sean <Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>;
Schwartz, Maria <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>; Weber, Michael
<Michael.Weber@nrc.gov>
Subject:
Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI
- Ron, Regarding your answer to Question 1, I still do not understand if bargaining unit personnel are allowed to discuss SU NSI with any colleague whose opinion they so choose to seek. It would be most helpful if, when answering question 1, you begin your answer with a ~ Yes<JI or a !I No<JI.
Regarding your answer to Question 2, neither your answer nor the Yellow Announcement you refer me to contain any information that would allow me to determine which colleagues cannot know of SUNSI nuclear safety concern. Please explain to me how I am to determine which colleagues cannot know of SUNSI nuclear safety concern.
Regarding you answer to Question 3, are you stating that employees must go through the Office of Congressional Affairs prior to providing information to Congress and cannot directly provide information to Congress on their own? If not, please clearly state.
Regarding your answer to Question 4, with whom in OCA and OGC should I address my qiuestions?
My questions are straight forward questions and I would appreciate straight forward answers. If you are not comfortable answering my questions in a clear and concise manner, that should tell you something about our policies.
Thank you, Larry From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:23 PM 2
To: Criscione, Lawrence <Lawrence.Criscione@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Flanagan, James <James.Flanagan@nrc.gov>; Carpenter, Cynthia <Cynthia.Carpenter@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Ming.Chen@nrc.gov>; Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard
<Richard.Correia@nrc.gov>; Peters, Sean <Sean.Peters@nrc.gov>; Heard, Robert <Robert. Heard@nrc.gov>;
Schwartz, Maria <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>; Weber, Michael
<Michael. Weber@nrc.gov>
Subject:
Who Determines Need-To-Know for OUO?
Mr. Criscione:
You inquired regarding the following:
- 1. Are bargaining unit employees allowed to discuss SUNS! (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
Question 1: Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
Reply: NRC SUNSI Policy clearly states that I <ii except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business.en See below:
NRC Policy For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information section 0(2) T Need to know access See: http://www.internal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNS!. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUINSI unless that person has an established need-to-know the information for conducting official business.
Question 2: If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS! nuclear safety c-oncem?
Reply: The NRC recently published a yellow announcement addressing this issue. See https://drupal.nrc.gov/announcements/yellow/policy/23578 Yellow Announcement YA 16-0052 defines n Need to Know'fl in the context of sensitive unclassified information. See Below:
Need-to-Know
- 1. A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified information, that a proposed recipient! s access to the sensitive information is necessary in the performance of an official and lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual I s office, position, or security clearance.
3
Question 3: Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
Reply: The NRC I s Office of Congressional Affairs (OCA) (see MD 9.13) is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance to the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office-l
.l Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.
.l Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individual members of Congress with respect to matters of interest and concern to NRC.
.l Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General. and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.
.l Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a routine nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EDO.
.l Coordinates internal NRC activities that bear directly on NRC relations with Congre*ss including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.
.l Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.
.l Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.
.L Participates in planning and developing NRC's legislative program in close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.
.l Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.
.L Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.
.l Performs any other functions assigned by the Chairman.
Question 4: If so, who makes that determination?
Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.
Please let me know if you have additional questions or concerns.
1
Ronald E. Gagnon SUNS I / CUI Program Manager Office of the Chief Information Officer IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop 0-6H11 Rockville, MD 20852 Office: 301-415-6873 5
From:
Sent:
To:
Cc:
Subject:
Attachments:
Follow Up Flag:
Flag Status:
- Team, Flanagan, James Friday, May 27, 2016 10:24 AM Gagnon, Ronald Janney, Margie; Rheaume, Cynthia; Le, Hong; Chen, Yen-Ming; Brown, Frederick RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI FYI - Who Determines Need-To-Know for OUO?
Follow up Flagged Attached is additional material to support your OGC review This was provided by Mike Weber from an email to Cynthia Carpenter
- Regards, James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike, Mail Stop O-6E7 A Rockville, MD 20852-2738 Telephone 301-415-8700 James.Flanagan@nrc.gov From: Flanagan, James Sent: Friday, May 27, 2016 10:07 AM To: Gagnon, Ronald Cc: Janney, Margie; Rheaume, Cynthia ; Le, Hong; Chen, Yen-Ming; Brown, Frederick
Subject:
RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI
- Ron, Please seek guidance from OGC and OCHCO related to any response. This is just getting argumentative and placing your factual response in a difficult position.
- Regards, James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer
United States Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike, Mail Stop O-6E7 A Rockville, MD 20852-2738 Telephone 301-415-8700 James.Flanagan@nrc.gov From: Criscione, Lawrence Sent: Friday, May 27, 2016 10:05 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>
Cc: Janney, Margie <Margle.Janney@nrc.gov>; Flanagan, James <James.Flanagan@nrq.ov>; Carpenter, Cynthia
<Cynthia.Carpenter@.nrc.ggv>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Ming.Chen@nrc.gov>; Hackett, Edwin <Edwin.Hackett(wnrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Peters, Sean <Sean.Peters@nrc.gov>;
Heard, Robert <Robert.Heard nrc. ov>; Schwartz, Marla <Maria.Schwartz@nrc.gov>; NTEU, Chap,ter 208
<NTEU@nrc.gov>; Weber, Michael <Michael,Weber@nrc.gov>
Subject:
Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNS!
- Ron, Regarding your answer to Question 1, I still do not understand if bargaining unit personnel are allowed to discuss SUNS!
with any colleague whose opinion they so choose to seek. It would be most helpful If, when answering question 1, you begin your answer with a "Yes" or a "No".
Regarding your answer to Question 2, neither your answer nor the Yellow Announcement you refer me to contain any information that would allow me to determine which colleagues cannot know of SUNSI nuclear safety concern. Please explain to me how I am to determine which colleagues cannot know of SUNSI nuclear safety concern.
Regarding you answer to Question 3, are you stating that employees must go through the Office of Congressional Affairs prior to providing Information to Congress and cannot directly provide Information to Congress on their own? If not, please clearly state.
Regarding your answer to Question 4, with whom in OCA and OGC should I address my questions?
My questions are straight forward questions and I would appreciate straight forward answers. If you a re not comfortable answering my questions in a clear and concise manner, that should tell you something about our policies.
Thank you, Larry From: Gagnon, Ronald Sent: Wednesday, May 2S, 2016 3:23 PM To: Criscione, Lawrence <Lawrence.Criscione@nrc.gov>
Cc: Janney, Margie <Margie.Janney@nrc.gov>; Flanagan, James <James.Flanagan@nrc.gov>; Carpenter, Cynthia
<C):'nthia.Carpenter@nrc.fQ_v>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Ming.Chen@nrc.gov>; Hackett, Edwin <Edwln.Hack_ett@nrc.gov>; Correia, Richard <Richard.Cor~eia@nrc.gov>; Peters, Sean <Sean.Peter~rc.gov>;
Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Maria <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208
<NTEU@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>
Subject:
Who Determines Need-To-Know for OU07 2
Mr. Criscione:
You inquired regarding the following:
- 1. Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
Question 1: Are bargaining unit employees allowed to discuss SUNS/ (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
Reply: NRC SUNSI Policy clearly states that..."except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business." See below:
NRC Policy For Handling, Marking, and Protecting Sensitive Unclasslfled Non-Safeguards Information section 0(2) - Need to know access See: http:l/www.internal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNS! unless that person has an established need-to-know the information for conducting official business.
Question 2: If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?
Reply: The NRC recently published a yellow announcement addressing this issue. See https://drupal.nrc.gov/announcements/yellow/policy/23578 Yellow Announcement YA 16-0052 defines "Need to Know" in the context of sensitive unclassified information.
See Below:
Need-to-Know
- 1. A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensttive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.
Question 3: Is there any SUNS/ material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
Reply: The NRC's Office of Congressional Affairs (OCA) (see MD 9.13} is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs 3
Program, and for providing advice and assistance to the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office-
- Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activitie*s, Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.
- Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individual members of Congress with respect to matters of interest and concern to NRC.
- Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledg*ment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.
- Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a r,outine nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EDO.
- Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.
- Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.
- Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.
- Participates in planning and developing NRC's legislative program in close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.
- Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.
- Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.
- Performs any other functions assigned by the Chairman.
Question 4: If so, who makes that determination'?
Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.
Please let me know if you have additional questions or concerns.
Ronald E. Gagnon SUNSI / CUI Program Manager Office of the Chief Information Officer IT/IM Policy Branch 4
United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 5
From:
Sent:
To:
Cc:
Subject:
(b)(5)
From: Criscione, Lawrence Weber, Michael Friday, May 27, 2016 10:21 AM McAndrew, Sara Thaggard, Mark; Correia, Richard; Hackett. Edwin; Flanagan, James; Carpenter, Cynthia FYI - Who Determines Need-To-Know for OUO?
Sent: Friday, May 27, 2016 9:49 AM To: Carpenter, Cynthia ; Weber, Michael Cc: Hackett, Edwin; Correla, Richard ; Peters, Sean ; Heard, Robert ; Schwartz, Maria ; NTEU, Chapter 208; Gagnon, Ronald ; Kirkwood, Sara ; Holahan, Gary; Clark, Theresa
Subject:
RE: Who Determines Need-To-Know for OUO?
- Cynthia, If you review the lengthy email trail below, you will see that I've been down that route before. In February 2015, Ron Gagnon of the FOIA branch passed the buck on my concerns back to my RES supervision.
I believe that there Is absolutely no basis for "Need-to-Know" to be applied to nuclear safety concerns such as catastrophic flooding at nuclear power plant sites due to upstream dam failures-failures caused by acts of nature and latent engineering flaws and not acts of sabotage. It is clear to me that these "Need-to-Know" restrictions are being set in place to prevent inconvenient embarrassing information from being widely accessed within the NRC and thus limit its likelihood of' eKiting the agency (as occurred In 2012 when I distributed some documents to Congress and the US Office of Special Counsel).
I recognize that It is natural for a bureaucracy to place a primacy upon protecting its good name and reputation, but by restricting information on important nuclear safety issues to only those staff who can be "trusted" to not disclose glaring unresolved public hazards we are undermining the Open & Collaborative Work Environment that his agency supposedly supports.
I will not be bouncing around FOIA and OCIO to discuss my concerns. My concerns have been well documented in the 3 1/2 year email trail below. Lack of understanding on this issue (i.e. Need-to-know regarding SUNSI) led directly to the NRC's IG Illegally seeking felony charges against me in February 2013 for sharing SUNSI with some Congressional staffers-something I had a protected right to do under 5 USC 7211. This is an issue that both the agency and the union should take seriously as it undermines the ability of the bargaining unit to vet their concerns with staff whom they trust-e.g. in NRO they are currently restricted from discussing flooding Issues with staff who have not been specifically assigned to the work on the issue.
I've asked four questions below. According to Ron Gagnon's February 2012 responses to me, those questions fall under the purview of my RES chain of command. I would appreciate it if you and Mike Weber would recognize and respect the efforts I have taken since October 25, 2012 to get answers to these questions and not dish me off to the FOIA office and OCIO.
The simple questions I would like specific, non-bureaucratic answers to are:
- 1. Are, bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
Thank you, Larry 573-230-3959 From: Carpenter, Cynthia Sent: Wednesday, May 25, 2016 11:18 AM To: Criscione, Lawrence <Lawrence.Criscione@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>
Cc: Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Peters., Sean
<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Maria <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>
Subject~ RE: Who Determines Need-To-Know for OUO?
Larry Please contact OCIO regarding your questions. Controlled Unclassified lnfonnation (i.e. currently SUNS!) falls under their area of expertise. If it were SGI or classified, it would be NSIR. I don't know who in OCIO has the lead for this, but I would start with the FOIA, Privacy and information collections branch.
From: Criscione, Lawrence Sent: Wednesday, May 25, 2016 8:57 AM To: Weber, Michael <Michael.Weber@nrc.gov>; Carpenter, Cynthia <Cynthia.Carpenter@nrc.gov>
Cc: Hackett, Edwin <Edwln.Hackett@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Peters, Sean
<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Maria <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>
Subject:
RE: Who Determines Need-To-Know for OUO?
Mike/Cynthia, Yesterday the agency published a Yellow Announcement on Need-to-Know (ML16111A432) which-in my opinion-was not very informative. I still have the following questions regarding Need-to-Know as it pertains to nuclear safety issues marked as SUNS! (I have always had a very clear understanding regarding Need-to-know as applied to classified information and SGI)*
1 Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
2 If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS! nuclear safety concern?
3 Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
- Thanks, 2
Larry Lawrence S. Criscione RES/DRA/HFRB From: Criscione, Lawrence Sent: Thursday, April 28, 2016 5:39 PM To: Weber, Michael <Mlchael.Weber@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>
Cc: Hackett, Edwin <Edwln.Hackett@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Peters, Sean
<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Maria <Maria.Schwartz@nrc.gov>;
Campbell, Andy <Andy.Campbell@nrc.gov>; Bley, Dennis <Dennis.Bley@nrc.gov>
Subject:
Who Determines Need-To-Know for OUO?
Mike/Sheryl, As can be seen from the email trail below, I have been trying to get an answer to the handhng of Official Use Only information for quite some time.
Attached is a letter I received last week from the US Office of Special Counsel (OSC). In the letter it is stated that the OSC has referred my disclosure regarding the agency's failure to adequately address flooding from dam failures to the NRC Chairman for investigation and report. It is not yet known by me whom the Chairman intends to assign to investigate my concerns.
In anticipation of potentially meeting with the Chairman's assigned investigator, over lunch today I met with seven colleagues from RES, NRR and NRO to discuss outstanding flooding concerns. At that meeting I was informed that certain supervisors in NRO have deemed certain flooding information and studies as sensitive information subject to strict need-to-know restrictions.
That is, my NRO colleagues told me they had to talk around certain concerns because I-and others present-were not formally assigned to work on those issues and to know those concerns.
Please note that none of the issues were related to nuclear security. These issue pertained entirely to nuclear SAFETY issues (e.g. Probabilistic Maximum Precipitation estimates for certain sites, flood inundation levels, etc).
Please also see the attached OCWE flyer from Bill Borchardt.
To me, the restrictions placed on the NRO staff directly contradicts the work environment purported by Mr Borchardt.
But it is much worse than that.
One of the NRO staff informed me that she might not be able to discuss some of her specific flooding concerns with the Chairman's investigator since the issues could only be shared with those with a need-to-know.
Think about that for a minute. The staff of the NRG supports the work of the Commission. The President appoints the Chairman of the Commission The President appoints the Special Counsel The Special Counsel has directed the Chairman to furnish a report to her within 60 days regarding my flooding concerns so that she might forward the Chairman's investigative results on to the President. Yet NRO management has their staff so rattled and confused regarding *need-to-know" surrounding flooding concerns that a staff member is concerned that she cannot even discuss those issues with the Chairman's investigator.
That's messed up. Waaaaaay messed up.
Today, I also found out that the Advisory Committee on Reactor Safeguards needed to agree to a Memorandum of Understanding (MOU) prior to being allowed to see certain flooding ir.iformation 3
Think about that for a minute. This is unclassified information. It is not safeguards. None of it has any value in determining how to breach a dam. These studies were done at the request of the NRC to aid in determining how dam failures will affect the viability of reactor plants. Yet the Advisory Committee on Reactor Safeguards cannot automatically see these studies?????
I would appreciate it if I could get a definitive answer from Mike to the following*
- 1. Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
3 Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Speaal Counsel?
- 4. If so, who makes that determination?
I recognize PII. allegation material, attorney/client privilege all fall under some definition of SUNSI. But in lieu of a better term, I am using SUNSI to refer to nuclear safety related information that is. for whatever reason, not public information. I am not at all confused on the prohibition of sharing PII, allegation material. attorney-client privilege, etc. so please restrict your answer to SUNSI that pertains solely to nuclear safety Please answer my questions directly. As can be seen below, I have for several years been bounced around between various NRC offices, web pages, 10 CFR references, and obtuse Management Directive references that do not address these questions.
This is an issue that gravely affects the Safety Culture of this agency. Imagine an individual with concerns regarding the flooding evaluation at Oconee being told that he cannot discuss the matter with fellow colleagues in his branch because they have no "need-to-know". Imagine the stress of being told by your superiors to sign off on an evaluation and not being able to discuss your concerns with your trusted peers These are not hypotheticals; they have happened and are happening.
I would appreciate it from Sheryl if she would assist me in getting answers to my questions above. This is an NRC issue not a RES issue (in fact, to my knowledge, there is nothing in RES restricted to a "need-to-know").
To me, this should be brought up at the ALMPC.
I am not saying there is no guidance. As can be seen from the email trail below, there is plenty of guidance. It's just not in a form that can be applied.
I would like the NRC to go on record stating that there are certain SUNSI documents that cannot be supplied to Congress and the OSC or confirming that there are no prohibitions against providing SUNSI documents to Congress and the OSC And I would like the NRC to go on record stating that all employees can view discuss SUNSI nudear safety concerns with their peers or confirming that there are certain prohibitions against sharing SUNSI material with peers not directly assigned to work on those materials.
V/r, Larry Lawrence S. Criscione RES/ORA/HF RB 573-230-3959 From: Criscione, Lawrence Sent: Tuesday, March 03, 2015 10:41 AM To: Correia, Richard <Richard.Correia@nrc.gov>; West, Steven <Steven.West@nrc.gov>; Peters, Sean
<Sean.Peters@nrc.gov>
Subject:
Management's Credibility 4
There has been much discourse on this SUNSI issue both via email and in cubicle and cafeteria conversations.
Much of it is stated less professionally and more cynically than Ed's email below. Ed's mention of a DPO is a sarcastic reference to one of Ron's responses; no one is going to waste their time attempting to address any of these items with a DPO.
Just because most of your staff is focused on doing their jobs and do not wish to ruffle anyone's feathers, please don't think that there are only two people (i.e. me and Richard Perkins) complaining about this This has been a long-standing complaint amongst certain personnel at NRR long before I was ever hired at the NRC-my involvement in this issue came as a result of their complaints to me. And there is widespread dissatisfaction in RES regarding these matters and how our management has avoided addressing them.
There might be a large contingent of managers and staff who resent "open government", but there is a very concerned contingent of technical staff who are appalled at what we are not allowed to share with the public.
And they are equally appalled by the lack of professionalism that has gone into resolving this issue. We expect our leaders to lead and not to politically avoid the difficult questions they are well-paid to confront. Balancing open government and SUNSI is one such issue.
Ron Gagnon is the supposed SUNSI expert for the agency and It Is his determination that many of these questions are the prerogative of the office. I say we run with that determination. I say that in the absence of agency ownership of SUNSI, we take ownership of the SUNSI policies for our office. If you would like me to (and if Sean will allow me time to work on it), I can draft some guidance on how to determine what is SUNSI, how to apply "need-to-know" and how to conduct "portion-marking".
I know Brian believes SUNSI Is owned by ADM, but ADM-and specifically the SUNSI lead in ADM-beheves that specific SUNSI guidance (vice the broad policies put out by ADM in MD 12.6) is the prerogative of the individual offices. This makes sense. Understandably ADM does not feel comfortable writing prescriptive guidance for NRR, RES, etc. We know our work and should be the ones translating the high-level ADM SUNSI policies into workable prescriptive guidance for our people.
V/r, Larry From: ODonnell, Edward Sent: Monday, March 02, 2015 1:53 PM To: Orr, Mark; Barr, Jonathan; Criscione, Lawrence
Subject:
FW: Need-to-Know requirements for SUNS!
The answers leave one hanging. Perhaps a differing professional opinion should be invoked regarding them.
From: Gagnon, Ronald Sent: Monday, March 02, 2015 1:49 PM To: Criscione, Lawrence Cc: Janney, Margie; Correla, Richard; Sullivan, Randy; Perkins, Richard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; Cardenas, Daniel
Subject:
RE: Need-to-Know requirements for SUNSI
- Larry, Please see my replies adjacent to your questions.
Thank you, Ron s
Ronald E. Gagnon OIS / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: CrisciOne, Lawrence Sent: Friday, February 27, 2015 3:23 PM To: Gagnon, Ronald Cc: Janney, Margie; Correia, Richard; Sullivan, Randy; Perldns, Richard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffirey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; Cardenas, Daniel
Subject:
RE: Need-to*Know requirements for SUNSI Thanks Ronald. I've copied some colleagues on this email so they can see your answer below and so that they might contact you if they have their own questions about it.
I've highlighted two items below that are still unclear (subject matter expert and need-to-know determination):
1.a) Who are the subject matter experts for flooding and dam failures? Check with your office leadership.
1.b) What document designates them as such? Check with your office leadership.
1.c) What guidance do they use to determine what is sensitive and what 1s not? Check with your office leadership, (reference internal NRC SUNSI, SGI, Classified guidance).
1.d) If you disagree with their determination, is there an appeal process?
As you probably already know, NRC has a mechanism in place where differing professional opinions can be discussed and resolved. The NRC Differing Professional Opinions Program, Management Directive 10.159 states the following objectives: To foster informal discussions with peers and supervisors on issues involving professional judgments that may differ from a currently held view or practice, To establish a formal process for expressing differing professional opinions (DPOs) concerning issues directly related to the mission of NRC, To ensure the full consideration and prompt disposition of DPOs by affording an independent, impartial review by knowledgeable personnel, To ensure that all employees have the opportunity to (a) express DPOs in good faith, (b) have their views heard and considered by NRC management, and (c) be kept fully informed of the status of milestones. throughout the process, To protect employees from retaliation in any form for expressing a differing opinion, To recognize submitters of DPOs when their DPOs have resulted in significant contributions to the mission of the agency, To provide for agency-wide oversight and monitoring. to ensure that implementation of these procedures accomplishes the stated objectives, and to recommend appropriate changes when required 2.a) For SUNS!, do we (i.e. the technical staff) need to obtain our supervisor's permission prior to sharing information with a Congressional office? This question is outside the scope of SUNSI. Please check with your leadership for official NRC policies regarding communications with Congress. The Office of Congressional Affairs should be able to articulate current policies regarding this question.
2.b) For SUNS! that is related to nuclear safety issues or to agency policies on applying FOIA redactions (i.e. not PII, allegation material, or other highly specific forms of SUNS! that have nothing to do with typical NRC correspondence and reports) do we need our supervisor's permission prior to discussing the information with our NRC colleagues who are not formally assigned to work on the issue? That is, can I share nuclear safety information with my NRC co-workers even though that information has been 6
designated SUNSI and they have not been formally assigned to work on the issue? Please check with your leadership and the FOIA office (if you have a FOIA redaction question). As you are aware, in addition to having authorized access to SUNSI information there is a need to know component to SUNS!. In order to allow access to another party, an authorized holder of SUNSI information must make a determination that a prospective recipient requires access to specific information to perform or assist in a lawful and authorized governmental function.
2.c) If I can get to it in ADAMS, can I assume I have a de-facto right to know it? Perhaps, but not exclusively. For example, if a document has been mistakenly categorized I entered into ADAMS it does not give an employee the right to view or distribute it without the proper access credentials. If a government employee came across a classified document on-hne through a Google search, that government employee is not authorized access unless they have the proper clearance and need to know, even though the document is easily available to anyone searching for it. If not, how do I determine that I have accessed a document that I have no right to see and to whom do I report it? One way to report a document spill would be by advising your supervisor and accessing the following link:
http://www.internal.nrc.gov/incident.html (please note that other notifications may be necessary depending on the type of spill).
R/
Larry From: Gagnon, Ronald Sent: Friday, February 27, 2015 2:15 PM To: Criscione, Lawrence Cc: Janney, Margie; Correia, Richard
Subject:
RE: Need-to-Know requirements for SUNS!
Good afternoon Larry, It was a pleasure speaking with you this afternoon. During our conversation we explored several topics including your questions below. We discussed the Controlled Unclassified Program (CUI) and how it would consolidate the SUNSI and SGI programs at the NRC, and how 1t would offer a government-wide, uniform way of handling sensitive unclassified information. Your asked the following SUNSI related questions:
1 If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document, must my new document now be marked as SUNSI?
Derivative products should always be marked to ensure that the sensitive information in the document is fully protected according to agency policy. If the document is not portion marked, then the entire document is considered SUNSI until such time as a subject matter expert determines otherwise.
Documents that are marked SUNSI and not portion marked can be reviewed by the originator to determine which portion is sensitive, ie. 2.390 information. A derivative document using any information from a SUNSI document that is not portion marked must have the referenced portion marked as SUNSI.
- 2. How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe is inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo--ed" into a tightly controlled group of individuals who are officially assigned to address the issue?
7
Need-to-know typically means a determination made by an authorized holder of information that a prospective recipient requires access to specific information to perform or assist in a lawful and autlhorized governmental function. This determination would be made by the leadership elements in the office where the work is performed.
Please let me know if I can be of further assistance.
Thank you for your questions, Ronald E. Gagnon OIS I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545*Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: SUNSI Resource Sent: Wednesday, February 25, 2015 7:44 AM To: Gagnon, Ronald; Janney, Margie
Subject:
FW: Need-to-Know requirements for SUNSI From: Criscione, Lawrence Sent: Wednesday, February 25, 2015 7:44:21 AM To: SUNSI Resource Cc: Correia, Richard; Peters, Sean; Perkins, Richard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; King, Mark; Burton, Thomas; Patterson, Malcolm; Kanney, Joseph
Subject:
Need-to-Know requirements for SUNSI Auto forwarded by a Rule SUNSI Resource:
I have some questions regarding SUNSI which my division director has been attempting to help me get answered. He provided me the following references but neither of them address the questions I have:
NRC's SRI guidance: http://www.internal.nrc.gov/sunsi/security.html FAQs available on the SUNSI website address commonly requested topics:
http://www. internal. n rc.qov/sunsi/fag. htm I My questions are:
1 If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document, must my new document now be marked as SUNSI?
8
- 2. How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe is inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo-ed* into a tightly controlled group of individuals who are officially assigned to address the issue?
Also, I have some comments about the "SUNSI Awareness Training* linked to from the SUNSI "Frequently Asked Questions" website (and attached to this email). On slide 6 a colloquial definition of SUNSI 1s provided as:
"Or put another way.. If information appeared on the front page of the Washington Post and you cringe when you see it....It's probably sensitive*.
I believe that:
The above definition is deleterious to our goals of openness and transparency Unfortunately, your colloquial definition is broadly used within the NRC That is, it is my experience that most SUNS! nic:1lt:1ic:1I is 111c:11kt:tl lhc:1l wc:1y because if it "apµearecJ on t//e front µage or U1e Was//ingto11 Posr it would make us cringe.
I'm not the only NRC employee who has been asking these questions. How we determine SUNSI is a concern shared by several of my colleagues.
Larry Lawrence S. Criscione 573-230-3959 From: l(b)(7)(C)
Sent: Wednesday, February 18, 2015 3:48 PM To: Criscione, Lawrence Cc: Peters, Sean; Madden, Patrick Subject.: RE: OIG Case 13-001 and OUO-SRI
http://www.internal.nrc.gov/sunsi/security.html as a source of information. Please take a look at the information at the link and let me know if it has the information you are seeking.
Regards (b)(?)(C)
From: Criscione, Lawrence Sent: Thursday, February 12, 2015 11:28 AM 9
To:l(b)(7)(C)
I
Subject:
RE: OIG case 13-001 and OUO-SRI Thanksl(b)(7)(C)
Daniel Cardenas referred me to Admin but did not give me the name of a contact.
From: l(b)(7)(C)
Sent: Thursday, February 12, 2015 9:08 AM To: Criscione, Lawrence
Subject:
RE: OIG case 13-001 and OUO*SRI Let me make some phone calls Larry (b)(7)(C)
From: Criscione, Lawrence Sent: Wednesday. February 11, 2015 1 :48 PM To: !(b)(7)(C)
I
Subject:
OIG case 13-001 and OUO*SRI l(b)(7)(C)
Attached is the transcript from your 2012 interview with OIG concerning Case 13-001 It was provided to me as part of a Privacy Act request and I'm sending it along to you in case you would like a copy.
Please see my email below to (bJ(7)(C)
I still have a lack of understanding on OUO-SRI, mostly stemming from the fact that-un I e an c assilfied information-it (1) is not portion marked, (2) has no derivative classifiers, and (3) is applied to such broad topics that it has no well-defined need-to-know (e.g. who has a need-to-know about the Oconee flooding issues? Is it only the narrow set of NRR employees addressing it? Or is it any concerned NRC employee who might have an opinion that adds to the discussion?).
V/r, Larry From: Criscione, Lawrence Sent: Wednesday, February 11, 2015 1:37 PM To: !(b)(7)(C)
I
Subject:
OIG case 13-001 l(b)(7)(C)
Attached is the transcript from your 2012 1nterv1ew with OIG concerning Case 13-001. It was given to me as part of a Privacy Act request and I'm sending it along to you in case you would like a copy The investigation for Case 13-001 closed on September 11, 2013.
10
As part of the resolution to the PEER v. NRC lawsuit, the on September 13, 2013 the NRC publicly released the two documents which were the subject of the NRC Form 183 security incident which was filed against me on September 20, 2012. Those documents can be found at:
http://pbadupws.nrc.gov/docs/ML 1325/ML13256A372.pdf http://pbadupws.nrc.gov/docs/ML 1325/ML13256A370.pdf The only redactions to those documents are my home address, my cell phone number and my personal email account. This indicates-to me-that I was not in error when I failed to mark these documents as "Official Use Only-Security-Related Information".
Given that OUO-SRI documents are not portion marked, I still have no understanding of:
1 How I am to determine what exactly in those documents is OUO-SRI
- 2. How-when I am preparing a downstream document which references information found in OUO-SRI documents-I am to determine the final designation of my document and who the authority is if I have questions
- 3. To whom do I appeal if I do not agree with the OUO-SRI designation of a document
- 4. How to determine who has a "need to know" with regard to OUO-SRI information R,
Larry From: Criscione, Lawrence Sent: Tuesday, June 10, 2014 9:27 AM To: Correia, Richard; Weber, Michael; Sheron, Brian; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward
Subject:
Who Determines Need-to-Know?
Thanks Rich.
I'd like to clarify though that even if we have a precise definition, a large part of my concern is "Who determines need-to-know?"
For example, if I am confident that a document marked "Not for Public Disclosure* can go to a congressional office, can I send it to them or must I first go through OGC and OCA?
Or, if I am confident that an INL contractor has a need to know proprietary information we got from INPO, can I directly send it to him or do I first need to consult with my supervisor, the NRC owner of the INPO MOU, OGC, etc.?
From: Correia, Richard Sent: Tuesday, June 10, 2014 7:02 AM To: Criscione, Lawrence; Weber, Michael; Sheron, Brian; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward
Subject:
RE: Need Assistance from RES and NTEU
- Larry, I contacted folks in the Information Security Branch of NSIR and they pointed out that "need to know" is. defined in 1 0CFR73.2 for handling safeguards information. I'm not certain if it would have a similar definition for SUNSI. I'll follow up with OGC on whether need to know has a definition for SUNSI.
Rich 11
Richard Correia, PE
- Director, Division of Risk Analysis Office of Nuclear Regulatory Research US NRC richard.correia@nrc.gov From: Criscione, Lawrence Sent: Monday, June 02, 2014 5:50 PM To: Weber, Michael; Sheron, Brian; Correia, Richard; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward
Subject:
Need Assistance from RES and NTEU Please see my October 25, 2012 email below to Dan Cardenas. I've highlighted several questions in that email which I never received answers to.
On October 25, 2012 I was directed to review our SUNSI guidance and to discuss it with the chief of the Facilities Security Branch. I reviewed the guidance but had some questions which, 19-months later, I still do not know the answers to.
I would like the assistance of RES management and the NTEU in obtaining answers from Mr. Cardenas. I believe I am not the only one at the NRC who is unclear as to what exactly constitutes a "need to know" and "conducting official govemment business*. Better clarifying these terms, especially with regard to OIG Case 13-001 which led to a criminal referral to the Department of Justice, is in the interest of the NRC staff.
If you have advice for me as to how to obtain answers from the requisite SUNSI experts, please let me know.
Thank you, Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence Sent: Monday, June 02, 2014 5:35 PM To: Cardenas, Daniel; Ross-Lee, MaryJane Cc: Beasley, Benjamin; Peters, Sean; Correia, Richard; Sullivan, Randy; NTEU, Chapter 208; Burrows, Sheryl
Subject:
FW: Questions
- Dan, Attached to this email is a document entitled "Exhibit 3 to 0/G Case 13-0~1" whjch I received today in response to FOIA 2014-0236. The memo is undated. Could either you or Jb)7)(C)
!please tell me the date on which !(b)(7)(C)
!sent this memo to!(b)(l)(C)
P. Was it before or after our correspondence in the email trail below On February 4, 2013 agents of the NRC's Inspector General approached the Assistant US Attorney's office in Springfield, IL and requested of them that I be indicted on federal felony charges (18 USC §1030) for obtaining supposed security-sensitive information from a government database (i.e. NRC internal ADAMS) and supposedly colluding to distribute that information to the public (e.g. via a Congressional hearing). The information of concern was my September 18, 2012 letter to the NRC Chairman, the email distributing it, and the nine reference documents. These are the same documents of concern in our email trail below.
12
In an October 25, 2012 email (included immediately below) I asked you a series of questions regarding MD 12.6, various guidance you directed me to review (found at http://www.internal.nrc.gov/sunsi/), and an explanation of what exactly constitute "need to know" and "conducting official government business". I have highlighted those questions in the email below. The documents attached to this email refer to some of those questions.
I never received any answers to the questions I posed to you 19 months ago in the email below. And after being the subject of an OIG criminal investigation for the distribution of supposed security related documents to individuals without a supposed "need to know", I still do not know the answers to the questions I pose below.
OIG Case 13-001 has been closed for over 9 months. Please provide me answers to my questions below as I am still uncertain what exactly I can and cannot share with our Congressional overseers and the precise channels I am required to follow.
I look forward to your answers.
Thank you.
Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence Sent: Thursday, October 25, 2012 9:37 PM To: Cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy
Subject:
Questions
111) In the attached document "2005-10-26 guidance.pdr' I've highlighted a sentence stating that portion markings are not required. However, in the document "2010-04-27 guidance.pdf' I've highlighted where it states:
When Is portion or page marking required? On documents that may be released following redaction of sensitive information. If an entire page is not sensitive, place marking adjacent to the sensitive information.
I am a big believer in portion markings. It frustrates me to no end that none of the 2008-2012 QUO correspondence between the NRC and Duke Energy regarding Jocassee Dam is portion marked. This correspondence clearly meets the instructions above for requiring that the documents be portion marked. That is, the overwhelming majority of the pages in the NRC/Duke correspondence have portions that are not sensitive and this NRC correspondence with a licensee concerning a serious safety concern should certainly be released following redaction of sensitive information. Vet there are no portion markings. Which guidance is correct: the 2005-10-26 or the 2010-04-27 guidance? Should NRR's correspondence with Duke Energy from May 2010 through the present have been portion marked?
- 2) On page 2 of the attached "NRC Policy for Handling Marking and Protection SUNSl.pdf' I have highlighted a paragraph on "Need-To-Know Access". This paragraph contains the words:
"... no person, including employees of the U.S. Government, NRC,....... may have access to SUNS/ unless that person has an established need-to-know the information for conducting official business."
I am unclear what exactly constitutes "an established need-to-know the information for conducting official business."
Some of my co-workers (particularly Richard Perkins, but many others as well) expressed concern to me that flooding issues at Oconee Nuclear Station and Fort Calhoun were not being adequately addressed. Although it is my job (and the 13
job of al I NRC employees) to take allegations from licensees, I do not believe it is my job {i.e. "conducting official business") to take allegations from my fellow NRC co-workers. Nonetheless, I reviewed some of the source documents regarding Jocassee Dam because I was concerned with the opinions I was hearing expressed from my co-workers. It was not my job to review these documents. Most of the review of these documents occurred after normal working hours, including times when - although allowed to be in the office or on Citrix - I am not allowed to formally work (i.e. beyond 8 pm, Sundays, while using annual leave/credit hours). Since I was reviewing this Information on my own time and not "for conducting official business", was I violating the "Need-to-Know".
Although I have only shared SUNSI with "employees of the U.S. Government", I am not certain all of them had "an established need-to-know the information for conducting officio/ business":
Does a staffer on the Senate Committee on Homeland Security & Governmental Affairs have "on established need-to-know the information for conducting official business"? If he does, must I send him through the Office of Congressional Affairs? Am I violating "Need-to-Know" by directly sending him references he requested?
Does the intern for Representative Duncan of South Carolina's 3rd congressional district have "an established need-to-know the Information for conducting official business" when she Is not Investigating any matter for a congressional oversight committee and I am merely copying her as a courtesy to keep her representative abreast of a concern regarding a nuclear plant in his district?
Does the Office of the Special Counsel have "an established need-to-know the information for conducting official business" when the information is not being formally submitted with an OSC Form 127 Does the Downstate Director (I.e. Springfield, IL office chief) of Senator Durbin have "an established need-to-know the information for conducting official business" when I am merely meeting with him to get his advice as to whether or not my senator would be willing to write the NRC Chairman regarding the NRC's SUNSI policies?
- 3) Assuming that the US Special Counsel or a congressional staffer has "an established need-to-know", I am uncertain as to what Is required by the "Access" requirements on page 5 of Part II of MD 12.6. Prior to sharing SUNSI with the US Special Counsel or congressional staffers, before providing the information must I first consult the three parties listed in MD 12.6:
NRC office originating the information Office that has primary interest in the information Source from which the information was derived
- 4) If I am writing a letter regarding how the Office of Nuclear Reactor Regulation is inappropriately stamping safety-related correspondence as "Security-Related Information", and if I am sending that letter to the US NRC Chairman and copying it to concerned congressional offices, and if I do not believe that marking the letter is essential to ensure proper handling and to ensure all persons having access to the letter will be aware that it (1) must not be publicly released and (2) must be distributed only to those who hove a need-to-know to conduct official business, then am I in violation of MD 12.6 because I did not stamp the letter "Official Use Only-Security-Related Information"?
I was asked by a congressional staffer last month whether I believed the "Security-Related Information" stamps were hindering the open discussion of the Jocassee Dam/Oconee issue amongst the NRC staff. His concern was based on the fact that some of NRR's Jocassee Dam correspondence contain the stamp "Limited Internal Distribution Permitted". My answer to him was that, although I believed these stamps were inappropriately keeping a serious safety concern from public scrutiny, these markings were not in any way hindering the professional internal discussion of concerns regarding Jocassee Dam. Based on what I have read in MD 12.6 tonight, I do not know if I still agree with that answer. When possible, I would like to meet with you regarding the four questions above. Also, I have had people within the NRC request to see my 2012-09-18 letter to the chairman but I have been unwilling to share it with anyone since being told I was violating SUNS! guidance by not properly stamping It OUO-SRI. I would like to review that letter with you and get your assessment as to how it should be stamped.
R, 14
Larry From: Criscione, Lawrence Sent: Thursday, October 25, 2012 5:50 PM To: Cardenas, Daniel
Subject:
RE: Infom,ation Release The version of MD 12.6 that is linked to in the SUNSI website is from December 20, 1999. Is this the version I am supposed to review or is there a more current revision?
From: Cardenas, Daniel Sent: Thursday, October 25, 2012 5:39 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonneJI, Edward; Sullivan, Randy
Subject:
Re: Infomiation Release Larry-If you have read and understand the SUNS! guidance, then a meeting may not be necessary. I will contact you if a meeting Is necessary. In regards to transmission of SUNSI outside the NRC, please contact your supervisor as identified in MD 12.6 and follow applicable guidance located on the OIS SUNSI website.
Regards.
Dan
~ Sent from an NRC Blackberry ~
Daniel Cardenas, Chief Facilities Security Branch Division of Facilities and Security Office of Administration U. S. Nuclear Regulatory Commission Office Email: Daniel.Cardenas@nrc.gov Office Number: ~301) 415-6184 Cell Number: !(b (6) l Fax Number: (301) 415-5132 From: Criscione, Lawrence To: Cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skldmore, Karen; ODonnell, Edward; Sullivan, Randy Sent: Thu Oct 25 17:31:31 2012
Subject:
RE: Information Release
- Daniel, My Outlook calendar is up to date through the end of the year. I should be able to review MD 12.6 and the other guidance by tomorrow morning.
The only personnel outside the NRC to whom I have provided "Official Use Only-Security Related Information" are either with the Office of the Special Counsel, staffers of US Senators or staffers of members of the US House of 15
Representatives. I will not release any additional information to the Office of the Special Counsel or to members of the US Congress until I have met with you.
Please send me a copy of the NRC Form 183 mentioned below so that I may review it prior to our meeting.
Is my union steward allowed to accompany me to the meeting?
V/r, Larry Criscione 573-230-3959 From: cardenas, Daniel Sent: Thursday, October 25, 2012 5:01 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen
Subject:
Information Release Importance: High Mr. Criscione-I have received a NRC Form 183 "Report of Security Incident" indicating that you have released information {Official Use Only - Security Related Information, etc) to personnel outside of the NRC. This release of information must "stop" immediately. The guidance for handling Sensitive Uncla1ssifled non-Safeguards Information (SUNSI) is identified in MD 12.6 and on the 01S webpage. Please see the following link, which provides detailed information on the handling of this type of information.
~
ww.internal.nrc.gov/sunsi/
If you have released any other information, you must cease these activities, and report the releases to the Director, Division of Facilities and Security.
Please schedule a time to discuss this matter with me.
Regards.
Daniel Cardtnu Chief. Fucih1ics Security Branch Division ofFaciltties and Security. Office of Adm1mstra11on Location: T6-E3 I omcc l:mwl. Dall*cl.Cardena~~ nrc.x,ov Office Nurnber 11J30 I I S-ol 84 NRC Blackbc (bl(6) l NRC Fax: (301) 415-132 16
From:
Sent:
To:
Cc:
Subject:
Importance:
Follow Up Flag:
Flag Status:
- Ron, Janney, Margie Thursday, May 26, 2016 12:41 PM Gagnon, Ronald Rheaume, Cynthia; Le, Hong FW: Who Determines Need-To-Know for OUO?
High Follow up Flagged At this morning's ET/Division Directors meeting, both Jim and Fred requested that you consult with OIG to provide additional information to clarify to Larry about your answer to his third question.
Please see Cindy or Jim if you need more explanation.
Thank you,
-Margie Margie Janney, CRM/NS Chief, IT/IM Polley Branch IT/IM Portfolio Management and Planning Division Office of the Chief Information Officer U S. Nuclear Regulatory Comm1ss1on 301-415-7245 margle lanney@nrc goy From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:23 PM To: Criscione, Lawrence Cc: Janney, Margie; Flanagan, James; Carpenter, Cynthia ; Le, Hong; Chen, Yen-Ming ; Hackett, Edwin ; Correia, Richard
- Peters, Sean; Heard, Robert; Schwartz, Maria ; NTEU, Chapter 208 ; Weber, Michael
Subject:
Who Determines Need-To-Know for OLIO?
Mr. Criscione:
You inquired regarding the following:
- 1. Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS! nuclear safety concern?
- 3. Is there any SUNS! material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
Question 1: Are bargaining unit employees allowed to discuss SUNS/ (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
Reply: NRC SUNS! Policy clearly states that... "except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the Information for conducting official business." See below:
NRC Policy For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards lnfonnation section D( 2) - Need to know access See: http://www.internal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNS! unless that person has an established need-to-know the information for conducting official business.
Question 2: If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?
Reply: The NRC recently published a yellow announcement addressing this issue. See https://drupal,.nrc;,g_c,v/announcements/yellow/policy/23578 Yellow Announcement YA 16-0052 defines "Need to Know" in the context of sensitive unclassified information.
See Below:
Need-to-Know 1 A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.
Question 3: Is there any SUNS/ material which NRC employees are prohibited from providing to Congressional Oversight Committees ancVor to staff of the US Office of Spec/a/ Counsel?
Reply: The NRC's Office of Congressional Affairs (OCA) (see MD 9.13) is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance to the Chairman, the Commission, and tlhe NRC staff on all NRC relations with the Congress. Specifically, the office-
- Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.
- Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individual members of Congress with respect to matters of interest and concern to NRC.
- Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.
2
- Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents. and other items of a routine nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EDO.
- Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.
- Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations reg!)rding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.
- Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.
- Participates in planning and developing NRC's legislative program in close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.
- Represents the Commission, as appropriate, In conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.
- Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.
- Performs any other functions assigned by the Chairman.
Question 4: If so, who makes that determination?
Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.
Please let me know if you have additional questions or concerns.
Ronald E. Gagnon SUNSI / CUI Program Manager Office of tlhe Chief Information Officer IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop 0-6H11 Rockville, MD 20852 Office: 301-415-6873 3
From:
Sent:
To:
Cc:
Subject:
Attachments:
Follow Up Flag:
Flag Status:
- Margie, Gagnon, Ronald Wednesday, May 25, 2016 3:06 PM Janney, Margie Flanagan, James; Carpenter, Cynthia; Le, Hong; Chen, Yen-Ming RE: Who Determines Need-To-Know for OUO?
RE: Need-t K f
SUNSt DCPD 201300092 d df o-now reau1rements or
.0.o, Follow up Flagged The 1st attachment is an email string beginning with Mr. Criscione's 03-03-15 8:51 AM that appears in the next record.
This 2nd attachment is publicly available at https ://obamawhiteh ouse. archives.gov/the-press-office/2013/02/12/fact-sheet-presidential
-policy-directive-critical-infrastructure-security.
Mr. Criscione is asking the following:
- 1. Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
Question 1: Are bargaining unit employees allowed to discuss SUNS/ (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
Reply: NRC SUNSI Policy clearly states that... "except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business: See below:
NRC Policy For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information section 0(2) - Need to know access See: http:l/www.internal.nrc.gov/sunsi/pdf/SUNSI-Policv-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNS!. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNS! unless that person has an established need-to-know the information for conducting official business.
Question 2: If not, how is the need-to-know determined? That Is, how is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?
Reply: The NRC recently published a yellow announcement addressing this issue. See https://drupal.nrc.gov/announcements/vellow/policv/23578 Yellow Announcement YA 16-0052 defines "Need to Know" in the context of sensitive unclassified information.
See Below:
Need-to-Know
1 A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.
Question 3: /s there any SUNS/ material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
Reply: The NRC's Office of Congressional Affairs (OCA) (see MD 9.13) is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance t,o the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office-
- Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.
- Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individual members of Congress with respect to matters of interest and concern to NRC.
- Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional comnnittees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.
- Transmits routine communications to Congress, Including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a routine nature; prepares direct responses to routine congressional requests and rinquiries, when appropriate and with the concurrence of the EDO.
- Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.
- Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.
- Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.
- Participates in planning and developing NRC's legislative program in close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.
- Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.
- Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to Inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.
- Performs any other functions assigned by the Chairman.
2
Question 4: If so, who makes that determination?
Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.
Please let me know if you have additional questions or concerns.
Ronald E. Gagnon SUNSI / CUI Program Manager Office of the Chief Information Officer IT/IM Polley Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop 0-6H 11 Rockville, MD 20852 Office: 301-415-6873 From: Janney, Margie Sent: Wednesday, May 25, 2016 11:41 AM To: Gagnon, Ronald Cc: Flanagan, James; Carpenter, Cynthia ; Le, Hong; Chen, Yen-Ming
Subject:
FW: Who Determines Need-To-Know for OUO?
- Ron, Assuming he has asked the same questions as last time, I suggest you answer Larry with a reference back to that answer. Note he refers to you in his March 3 email below.
-Margie Margie Janney. CRM/NS Chief. ITIIM Pohcy Branch IT/IM Portfolio Management and Planning Olvis10n Office of the Chief Information Officer U.S Nuclear Regulatory CommtSsion 301-415-7245 margle jannev@nrc gov From: Flanagan, James Sent: Wednesday, May 25, 201611:32 AM To: Carpenter, Cynthia <Cynthia.Carpenter@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>; Janney, Margie
<Margie.Janney@nrc.gov>
Cc: Chen, Yen-Ming <Yen-Ming.Chen@nrc.gov>
Subject:
FW: Who Determines Need-To-Know for OUO?
Cynthia, Hong and Margie, Can we answer these questions or can we direct the individual to the party that can answer them?
- Regards, 3
James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike, Mail Stop O-6E7A Rockville, MD 20852-2738 Telephone 301-415-8700 James. Fla nagan@nrc.gov From: Carpenter, Cynthia Sent: Wednesday, May 25, 201611:18 AM To: Criscione, Lawrence <Lawrence.Criscione@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>
Cc: Hackett, Edwin <Edwin.Hackett@nrc.goV>; Correia, iRichard <Richard.Correia@nrc.gov>; Peters, Sean
<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Maria <Marla.Schwartz@nrc.goV>; NTEU, Chapter 208 <NTEU@nrc.gov>
Subject:
RE: Who Determines Need-To-Know for QUO?
Larry Please contact OCIO regarding your questions. Controlled Unclassified Information (i.e. currently SUNSI) falls under their area of expertise. If it were SGI or classified, it would be NSIR. I don't know who in OCIO has the lead for this, but I would start with the FOIA, Privacy and information collections branch.
From: Criscione, Lawrence Sent: Wednesday, May 25, 2016 8:57 AM To: Weber, Michael <Michael.Weber@nrc.goV>; Carpenter, Cynthia <Cynthia.Carpenter@nrc.gov>
Cc: Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Peters, Sean
<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Maria <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>
Subject:
RE: Who Determines Need-To-Know for QUO?
Mike/Cynthia, Yesterday the agency published a Yellow Announcement on Need-to-Know (ML16111A432) which-in my opinion-was not very infom,ative. I still have the following questions regarding Need-to-Know as it pertains to nuclear safety issues marked as SUNS! (I have always had a very clear understanding regarding Need-to-know as applied to classified infomiation and SGI)*
- 1. Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?
- 3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
4
- 4. If so, who makes that determination?
- Thanks, Larry Lawrence S. Criscione RES/DRAfHFRB From: Criscione, Lawrence Sent: Thursday, April 28, 2016 5:39 PM To: Weber, Michael <Michael.Weber@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>
Cc: Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Peters, Sean
<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Maria <Maria.Schwartz@nrc.gov>;
Campbell, Andy <Andy.Campbell@nrc.gov>; Bley, Dennis <Dennis.Bley@nrc.gov>
Subject:
Who Determines Need-To-Know for OUO?
Mike/Sheryl, As can be seen from the email trail below, I have been trying to get an answer to the handling of Official Use Only information for quite some time.
Attached is a letter I received last week from the US Office of Special Counsel (OSC). In the letter it is stated that the OSC has referred my disclosure regarding the agency's failure to adequately address flooding from dam failures to the NRC Chairman for investigation and report. It is not yet known by me whom the Chairman intends to assign to investigate my concerns.
In anticipation of potentially meeting with the Chairman's assigned investigator, over lunch today I met with seven colleagues from RES, NRR and NRO to discuss outstanding flooding concerns. At that meeting I was informed that certain supervisors in NRO have deemed certain flooding information and studies as sensitive information subject to strict need-to-know restrictions.
That is, my NRO colleagues told me they had to talk around certain concerns because I-and others present-were not formally assigned to work on those issues and to know those concerns.
Please note that none of the issues were related to nuclear security. These issue pertained entirely to nuclear SAFETY issues (e.g. Probabilistic Maximum Precipitation estimates for certain sites, flood inundation levels, etc.).
Please also see the attached OCWE flyer from Bill Borchardt To me, the restrictions placed on the NRO staff directly contradicts the work environment purported by Mr Borchardt.
But it is much worse than that.
One of the NRO staff informed me that she might not be able to discuss some of her specific flooding concerns with the Chairman's investigator since the issues could only be shared with those with a need-to-know.
Think about that for a minute. The staff of the NRC supports the work of the Commission. The President appoints the Chairman of the Commission. The President appoints the Special Counsel. The Special Counsel has directed the Chairman to furnish a report to her within 60 days regarding my flooding concerns so that she might forward the Chairman's investigative results on to the President. Yet NRO management has their staff so rattled and confused regarding "need-to-know" surrounding flooding concerns that a staff member is concerned that she cannot even discuss those issues with the Chairman's investigator That's messed up. Waaaaaay messed up.
s
Today, I also found out that the Advisory Committee on Reactor Safeguards needed to agree to a Memorandum of Understanding (MOU) prior to being allowed to see certain flooding information.
Think about that for a minute. This is unclassified information. It is not safeguards. None of it has any value in determining how to breach a dam. These studies were done at the request of the NRC to aid in determining how dam failures will affect the viability of reactor plants. Yet the Advisory Committee on Reactor Safeguards cannot automatically see these studies?????
I would appreciate it if I could get a definitive answer from Mike to the following:
- 1. Are bargaining unit employees allowed to discuss SUNS! (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?
- 2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS! nuclear safety concern?
3 Is there any SUNS! material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?
- 4. If so, who makes that determination?
I recognize PII, allegation material, attorney/client privilege all fall under some definition of SUNSI. But in lieu of a better term, I am using SUNS! to refer to nuclear safety related information that is, for whatever reason, not public information. I am not at all confused on the prohibition of sharing PII, allegation material, attorney-client privilege, etc. so please restrict your answer to SUNSI that pertains solely to nuclear safety.
Please answer my questions directly. As can be seen below, I have for several years been bounced around between various NRC offices, web pages, 10 CFR references, and obtuse Management Directive references that do not address these questions.
This is an issue that gravely affects the Safety Culture of this agency. Imagine an individual with concerns regarding the flooding evaluation at Oconee being told that he cannot discuss the matter with fellow colleagues in his branch because they have no *need-to-know". Imagine the stress of being told by your superiors to sign off on an evaluation and not being able to discuss your concerns with your trusted peers These are not hypotheticals; they have happened and are happening.
I would appreciate it from Sheryl if she would assist me in getting answers to my questions above. This is an NRC issue not a RES issue (in fact, to my knowledge, there is nothing in RES restricted to a "need-to-know").
To me, this should be brought up at the ALMPC.
I am not saying there is no guidance. As can be seen from the email trail below. there is plenty of guidance. It's just not in a form that can be applied I would like the NRC to go on record stating that there are certain SUNS! documents that cannot be supplied to Congress and the OSC or confirming that there are no prohibitions against providing SUNSI documents to Congress and the OSC And I would hke the NRC to go on record stating that all employees can view discuss SUNSI nuclear safety concerns with their peers or confirming that there are certain prohibitions against sharing SUNSI material with peers not directly assigned to work on those materials.
V/r, Larry Lawrence S. Criscione RES/DRA/HFRB 573-230-3959 From: Criscione, Lawrence Sent: Tuesday, March 03, 2015 10:41 AM 6
To: Correia, Richard <Richard.Correia@nrc.gov>; West, Steven <Steven.West@nrc.gov>; Peters, Sean
<Sean.Peters@nrc.gov>
Subject:
Management's Credibility There has been much discourse on this SUNSI issue both via email and in cubicle and cafeteria conversations.
Much of it is stated less professionally and more cynically than Ed's email below. Ed's mention of a DPO is a sarcastic reference to one of Ron's responses; no one is going to waste their time attempting to address any of these items with a DPO.
Just because most of your staff is focused on doing their jobs and do not wish to ruffle anyone's feathers, please don't think that there are only two people (i.e. me and Richard Perkins) complaining about this. This has been a long-standing complaint amongst certain personnel at NRR long before I was ever hired at the NRC-my involvement in this issue came as a result of their complaints to me. And there is widespread dissatisfaction in RES regarding these matters and how our management has avoided addressing them.
There might be a large contingent of managers and staff who resent "open government*, but there is a very concerned contingent of technical staff who are appalled at what we are not allowed to share with the public.
And they are equally appalled by the lack of professionalism that has gone into resolving this issue. We expect our leaders to lead and not to politically avoid the difficult questions they are well-paid to confront. Balancing open government and SUNSI is one such issue.
Ron Gagnon is the supposed SUNSI expert for the agency and it is his determination that many of these questions are the prerogative of the office. I say we run with that determination. I say that in the absence of agency ownership of SUNSI, we take ownership of the SUNSI policies for our office. If you would like me to (and if Sean will allow me time to work on it), I can draft some guidance on how to determine what is SUNSI, how to apply "need-to-know* and how to conduct "portion-marking".
I know Brian believes SUNSI is owned by ADM, but ADM-and specifically the SUNSI lead in ADM-believes that specific SUNSI guidance (vice the broad policies put out by ADM in MO 12.6) is the prerogative of the individual offices. This makes sense. Understandably ADM does not feel comfortable writing prescriptive guidance for NRR, RES, etc. We know our work and should be the ones translating the high-level ADM SUNSI policies into workable prescriptive guidance for our people.
V/r, Larry From: ODonnell, Edward Sent: Monday, March 02, 2015 1:53 PM To: Orr, Mark; Barr, Jonathan; Criscione, Lawrence
Subject:
FW: Need-to-Know requirements for SUNSI The answers leave one hanging. Perhaps a differing professional opinion should be invoked regarding them.
From: Gagnon, Ronald Sent: Monday, March 02, 2015 1:49 PM To: Criscione, Lawrence Cc: Janney, Margie; Correia, Richard; Sullivan, Randy; Perkins, Richard; Bensl, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; cardenas, Daniel
Subject:
RE: Need-to-Know requirements for SUNSI
- Larry, Please see my replies adjacent to your questions.
7
Thank you, Ron Ronald E. Gagnon OIS / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Criscione, Lawrence Sent: Friday, February 27, 2015 3:23 PM To: Gagnon, Ronald Cc: Janney, Margie; Correia, Richard; Sullivan, Randy; Perkins, Richard; Bensl, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulnlers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; Cardenas, Daniel
Subject:
RE: Need-to-Know requirements for SUNSI Thanks Ronald. I've copied some colleagues on this email so they can see your answer below and so that they might contact you if they have their own questions about it.
I've highlighted two items below that are still unclear (subject matter expert and need-to-know determination):
1.a) Who are the subject matter experts for flooding and dam failures? Check with your office leadership.
1.b) What document designates them as such? Check with your office leadership.
1.c) What guidance do they use to determine what is sensitive and what is not? Check with your office leadership, (reference internal NRC SUNSI, SGI, Classified guidance).
1.d) If you disagree with their determination, is there an appeal process?
As you probably already know, NRC has a mechanism in place where differing professional opinions can be discussed and resolved. The NRC Differing Professional Opinions Program, Management Directive 10.159 states the following objectives: To foster informal discussions with peers and supervisors on issues involving professional judgments that may differ from a currently held view or practice, To establish a formal process for expressing differing professional opinions (DPOs) concerning issues directly related to the mission of NRC, To ensure the full consideration and prompt disposition of DPOs by affording an independent, impartial review by knowledgeable personnel, To ensure that all employees have the opportunity to (a) express DPOs in good faith, (b) have their views heard and considered by NRC management, and (c) be kept fully informed of the status of milestones throughout the process, To protect employees from retaliation in any form for expressing a differing opinion, To recognize submitters of DPOs when their DPOs have resulted in significant contributions to the mission of the agency, To provide for agency-wide oversight and monitoring, to ensure that implementation of these procedures accomplishes the stated objectives, and to recommend appropriate changes when required.
2.a) For SUNSl, do we (i.e. the technical staff) need to obtain our supervisor's permission prior to sharing information with a Congressional office? This question is outside the scope of SUNSI. Please check with your leadership for official NRC policies regarding communications with Congress. The Office of Congressional Affairs should be able to articulate current policies regarding this question.
2.b) For SUNSI that is related to nuclear safety issues or to agency policies on applying FOIA redactions (i.e. not PII, allegation material, or other highly specific forms of SUNSl that have nothing to do with 8
typical NRC correspondence and reports) do we need our supervisor's permission prior to discussing the information with our NRC colleagues who are not formally assigned to work on the issue? That is, can I share nuclear safety mfonnation with my NRC co-workers even though that information has been designated SUNSI and they have not been formally assigned to work on the issue? Please check with your leadership and the FOIA office (if you have a FOIA redaction question). As you are aware, in addition to having authorized access to SUNSI infonnation there is a need to know component to SUNSI. In order to allow access to another party, an authonzed holder of SUNSI information must make a determination that a prospective recipient requires access to specific information to perform or assist in a lawful and authorized governmental function 2.c) If I can get to it in ADAMS, can I assume I have a de-facto nght to know 1t? Perhaps, but not exclusively. For example, if a document has been mistakenly categorized / entered into ADAMS it does not give an employee the right to view or distribute 1t without the proper access credentials. If a government employee came across a classified document on-line through a Google search, that government employee is not authorized access unless they have the proper clearance and need to know, even though the document is easily available to anyone searching for rt. If not, how do I determine that I have accessed a document that I have no nght to see and to whom do I report 1t? One way to report a document spill would be by advising your supervisor and accessing the following link:
http://www.internal.nrc.gov/incidenthtml (please note that other notifications may be necessary depending on the type of spill).
R/
Larry From: Gagnon, Ronald Sent: Friday, February 27, 2015 2:15 PM To: Criscione, Lawrence Cc: Janney, Margie; Correla, Richard
Subject:
RE: Need-to-Know requirements for SUNSI Good afternoon Larry, It was a pleasure speaking with you this afternoon. During our conversation we explored several topics including your questions below. We discussed the Controlled Unclassified Program (CUI) and how 1t would consolidate the SUNSI and SGI programs at the NRC, and how 1t would offer a government-wide, uniform way of handling sensitive unclassified information. Your asked the following SUNSI related questions:
- 1. If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material 1s SUNSI and what is not? If I reference anything m the document, must my new document now be marked as SUNSI?
Derivative products should always be marked to ensure that the sensitive information in the document is fully protected according to agency policy. If the document is not portion marked, then the entire document is considered SUNSI until such time as a subject matter expert detennines otherwise.
Documents that are marked SUNSI and not portion marked can be reviewed by the originator to determine which portion is sensitive, ie. 2.390 information. A derivative document using any information from a SUNSI document that is not portion marked must have the referenced portion marked as SUNSI.
2 How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe 1s inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC 9
colleagues or must information be "silo-ed" into a tightly controlled group of individuals who are officially assigned to address the issue?
Need-to-know typically means a determination made by an authorized holder of information that a prospective recipient requires access to specific information to perform or assist in a lawful and authorized governmental function. This determination would be made by the leadership elements in the office where the work is performed.
Please let me know if I can be of further assistance.
Thank you for your questions, Ronald E. Gagnon OIS / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop 0 -6H11 Rockville, MD 20852 Office: 301-41 5-6873 From: SUNS! Resource Sent: Wednesday, February 25, 2015 7:44 AM To: Gagnon, Ronald; Janney, Margie
Subject:
FW: Need-to-Know requirements for SUNS!
From: Criscione, Lawrence Sent: Wednesday, February 25, 2015 7:44 21 AM To: SUNSI Resource Cc: Correia, Richard; Peters, Sean; Perkins, Richard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando, Barnes, Valerie; Desaulniers, David; ODonnell, Edward, King, Mark; Burton, Thomas; Patterson, Malcolm; Kanney, Joseph
Subject:
Need-to-Know requirements for SUNSI Auto forwarded by a Rule SUNSI Resource.
I have some questions regarding SUNSI which my d1v1s1on director has been attempting to help me get answered. He provided me the following references but neither of them address the questions I have*
NRC's SRI guidance: http.//www.internal.nrc.gov/sunsi/security.html FAQs available on the SUNSI website address commonly requested topics:
http.//www. internal. nrc.qov/sunsi/faq.html My questions are:
10
- 1. If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document, must my new document now be marked as SUNSI?
- 2. How do I determine need-to-know with regard to SUNS!? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe is inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo-ed" into a tightly controlled group of individuals who are officially assigned to address the issue?
Also, I have some comments about the "SUNSI Awareness Training* linked to from the SUNSI "Frequently Asked Questions" website (and attached to this email). On slide 6 a colloquial definition of SUNS! is provided as:
- or put another way... If infonnation appeared on the front page of the Washington Post and you cringe when you see it.... It's probably sensitive".
I believe that The above definition is deleterious to our goals of openness and transparency Unfortunately, your colloquial definition is broadly used within the NRC. That is, it is my experience that most SUNSI material is marked that way because if it "appeared on the front page of the Washington Post" it would make us cringe.
I'm not the only NRC employee who has been asking these questions. How we determine SUNSI is a concern shared by several of my colleagues.
Larry Lawrence S. Criscione 573-230-3959 From:l(b)(?)(C)
Sent: Wednesday, February 18, 2015 3:48 PM To: Criscione, Lawrence Cc: Peters, Sean; Madden, Patrick
Subject:
RE: OIG case 13-001 and QUO-SRI
http://www.internal.nrc.gov/sunsi/security.html as a source of information. Please take a look at the information at the link and let me know if it has the information you are seeking.
Regards (b)(?)(C) 11
From: CrisciOne, Lawrence 11-i-a~.iiUGLL,.l,;J;l,4,Llf'ry 12, 2015 11:28 AM T
Thanks l(b)(l)(C)
Daniel Cardenas referred me to Admln but did not give me the name of a contact.
l (b)(?)(C)
I From:.... ____
Sent: Thursday, February 12, 2015 9:08 AM To: Criscione, Lawrence
Subject:
RE: OIG Case 13*001 and OUO*SRI Let me make some phone calls Larry (b)(7)(C)
From: Oiscione, Lawrence Serl Wednesday Fehr *ary 11, 2015 1:48 PM To: !b)(l)(C)
Subject:
OIG Case 13-001 and QUO-SRI l(b}(l)(C) I Attached is the transcript from your 2012 interview with OIG concerning Case 13-001 It was provided to me as part of a Pnivacy Act request and I'm sending it along to you in case you would like a copy.
Please see my email below to!{b)(7}(Cl
~ I still have a lack of understanding on OUO-SRI, mostly stemming from the fact that-unlike SGI and classified information-it (1) Is not portion marked, (2) has no derivative classifiers, and (3) is applied to such broad topics that it has no well-defined need-to-know (e.g. who has a need-to-know about the Oconee flooding issues? Is it only the narrow set of NRR employees addressing it? Or is it any concerned NRC employee who might have an opinion that adds to the discussion?)
V/r.
Larry From: Oiscione, Lawrence Senr Wednesday, bruary 11, 2015 1:37 PM To: (b)(7)(C)
Subject:
OIG Case 13-001 (b)(?)(C)
Attached is the transcript from your 2012 interview with OIG concerning Case 13-001. It was given to me as part of a Privacy Act request and I'm sending it along to you in case you would like a copy.
12
The investigation for Case 13-001 closed on September 11, 2013.
As part of the resolution to the PEER v. NRC lawsuit, the on September 13, 2013 the NRC publicly released the two documents which were the subject of the NRC Form 183 security incident which was filed against me on September 20, 2012. Those documents can be found at:
http://pbadupws.nrc.gov/docs/ML 1325/ML13256A372.pdf http://pbadupws.nrc.gov/docs/ML 1325/ML13256A370.pdf The only redactions to those documents are my home address, my cell phone number and my personal email account. This indicates-to me-that I was not in error when I failed to mark these documents as "Official Use Only - Security-Related Information" Given that OUO-SRI documents are not portion marked, I still have no understanding of:
- 1. How I am to determine what exactly in those documents,s OUO-SRI
- 2. How-when I am preparing a downstream document which references information found in OUO-SRI documents-I am to determine the final designation of my document and who the authority is if I have questions
- 3. To whom do I appeal if I do not agree with the OUO-SRI designation of a document
- 4. How to determine who has a "need to know" with regard to OUO-SRI information R,
Larry From: Criscione, Lawrence sent: Tuesday, June 10, 2014 9:27 AM To: Correia, Richard; Weber, Michael; Sheron, Brian; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward subject: Who Determines Need-to-Know?
Thanks Rich.
I'd like to clarify though that even if we have a precise definition, a large part of my concern is "Who determines need-to-know?"
For example, if I am confident that a document marked "Not for Public Disclosure* can go to a congressional office, can I send it to them or must I first go through OGC and OCA?
Or, if I am confident that an INL contractor has a need to know proprietary information we got from INPO, can I directly send it to him or do I first need to consult with my supervisor, the NRC owner of the INPO MOU, OGC, etc.?
From: Correra, Richard sent: Tuesday, June 10, 2014 7:02 AM To: Criscione, Lawrence; Weber, Michael; Sheron, Brian; Madden, Patrick; Peters, Sean; Sullrvan, Randy; Burrows, Sheryl; ODonnell, Edward SUbject: RE: Need Assistance from RES and NTEU
- Larry, 13
I contacted folks in the Information Security Branch of NSIR and they pointed out that "need to know" is defined in 1 0CFR73.2 for handling safeguards information. I'm not certain if it would have a similar definition for SUNSI I'll follow up with OGC on whether need to know has a definition for SUNSI.
Rich Richard Correia, PE
- Director, Division of Risk Analysis Office of Nuclear Regulatory Research US NRC richard.correia@nrc.gov From: CrisciOne, Lawrence Sent: Monday, June 02, 2014 5:50 PM To: Weber, Michael; Sheron, Brian; Correia, Richard; Madden, Patrick; Peters, 5ean; Sullivan, Randy; Burrows, Sheryl; ODonne:11, Edward
Subject:
Need Assistance from RES and NTEU Please see my October 25, 2012 email below to Dan Cardenas. I've highlighted several questions in that email which I never received answers to.
On October 25, 2012 I was directed to review our SUNSI guidance and to discuss it with the chief of the Facilities Security Branch. I reviewed the guidance but had some questions which, 19-months later, I still do not know the answers to.
I would like the assistance of RES management and the NTEU in obtaining answers from Mr. Cardenas. I believe I am not the only one at the NRC who is unclear as to what exactly constitutes a "need to know' and "conducting official government business*. Better clarifying these terms, especially with regard to OIG Case 13-001 which led to a criminal referral to the Department of Justice, is in the interest of the NRC staff If you have advice for me as to how to obtain answers from the requisite SUNSI experts, please let me know.
Thank you, Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence Sent: Monday, June 02, 2014 5:35 PM To: Cardenas, Daniel; Ross-Lee, MaryJane Cc: Beasley, Benjamin; Peters, Sean; Correla, Richard; Sullivan, Randy; NTEU, Chapter 208; Burrows, Sheryl
Subject:
FW: Questions Dan.
Attached to this email is a document entitled "Exhibit 3 to O/G Case 13-001" which I received today in response to FOIA 2014-0236. The @emo js undated. Could either you or!(b) 7) C) please tell me the date on whichl(b)(7)(C)
~ent this memo to (b)(7)(C) r Was it before or after our correspondence in the email trail below ?
On February 4, 2013 agents of the NRC's Inspector General approached the Assistant US Attorney's office in Springfield, IL and requested of them that I be indicted on federal felony charges (18 USC §1030) for obtaining 14
supposed security-sensitive information from a government database (i.e. NRC internal ADAMS) and supposedly colluding to distribute that information to the public (e.g. via a Congressional hearing). The information of concern was my September 18, 2012 letter to the NRG Chairman, the email distributing it, and the nine reference documents. These are the same documents of concern in our email trail below.
In an October 25, 2012 email (included immediately below) I asked you a series of questions regarding MD 12.6, various guidance you directed me to review (found at http://www.internal.nrc.gov/sunsi/), and an explanation of what exactly constitute "need to know" and "conducting official government business". I have highlighted those questions in the email below. The documents attached to this email refer to some of those questions.
I never received any answers to the questions I posed to you 19 months ago in the email below. And after being the subject of an OIG criminal investigation for the distribution of supposed security related documents to individuals without a supposed "need to know", I still do not know the answers to the questions I pose below.
OIG Case 13-001 has been closed for over 9 months. Please provide me answers to my questions below as I am still uncertain what exactly I can and cannot share with our Congressional overseers and the precise channels I am required to follow.
I look forward to your answers.
Thank you, Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence Sent: Thursday, October 25, 2012 9:37 PM To: Cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy
Subject:
Questions
- 1) In the attached document "2005-10-26 guidance.pdf' I've highlighted a sentence stating that portion markings are not required. However, In the document "2010-04-27 guldance.pdf' I've highlighted where It states:
When is portion or page marking required? On documents that may be released following redaction of sensitive information. If an entire page is not sensitive, place marking adjacent to the sensitive information.
I am a big believer in portion markings. It frustrates me to no end that none of the 2008-2012 OUO correspondence between the NRC and Duke Energy regarding Jocassee Dam is portion marked. This correspondence clearly meets the instructions above for requiring that the documents be portion marked. That is, the overwhelming majority of the pages in the NRC/Duke correspondence have portions that are not sensitive and this NRC correspondence with a licensee concerning a serious safety concern should certainly be released following redaction of sensitive Information. Yet there are no portion markings. Which guidance is correct: the 2005-10-26 or the 2010-04-27 guidance? Should NRR's correspondence with Duke Energy from May 2010 through the present have been portion marked?
- 2) On page 2 of the attached "NRC Policy for Handling Marking and Protection SUNSl.pdf" I have highlighted a paragraph on "Need-To-Know Access". This paragraph contains the words:
15
"... no person, including employees of the U.S. Government, NRC,....... may hove access ta SUNS/ unless that person has an established need-to-know the information for conducting official business."
I am unclear what exactly constitutes "an established need-ta-know the information for conducting official business."
Some of my co-workers (particularly Richard Perkins, but many others as well) expressed concern to me that flooding issues at Oconee Nuclear Station and Fort Calhoun were not being adequately addressed. Although it is my Job (and the job of all NRC employees) to take allegations from licensees, I do not believe it is my job (i.e. "conducting officio/
business") to take allegations from my fellow NRC co-workers. Nonetheless, I reviewed some of the source documents regarding Jocassee Dam because I was concerned with the opinions I was hearing expressed from my co-workers. It was not my job to review these documents. Most of the review of these documents occurred after normal working hours, including times when - although allowed to be in the office or on Citrix - I am not allowed to formally work (i.e. beyond 8 pm, Sundays, while using annual leave/credit hours). Since I was reviewing this information on my own time and not "for conducting official business", was I violating the "Need-to-Know".
Although I have only shared SUNS! with "employees of the U.S. Government", I am not certain all of them had "an established need-to-know the information for conducting official business":
Does a staffer on the Senate Committee on Homeland Security & Governmental Affairs have "on established need-to-know the information for conducting official business? If he does, must I send him through the Office of Congressional Affairs? Am I violating "Need-to-Know by directly sending him references he requested?
Does the Intern for Representative Duncan of South carollna's 3rd congressional district have "an established need-to-know the information for conducting official business" when she is not investigating any matter for a congressional oversight committee and I am merely copying her as a courtesy to keep her representative abreast of a concern regarding a nuclear plant in his district?
Does the Office of the Special Counsel have "an established need-to-know the information for conducting official business" when the information Is not being formally submitted with an OSC Form 12?
Does the Downstate Director (i.e. Springfield, IL office chief} of Senator Durbin have "an established need-to-know the information for conducting official business" when I am merely meeting with him to get his advice as to whether or not my senator would be willing to write the NRC Chairman regarding the NRC's SUNSI policies?
- 3) Assuming that the US Special Counsel or a congressional staffer has "an established need-to-know", I am uncertain as to what ls required by the "Access" requirements on page 5 of Part II of MD 12.6. Prior to sharing SUNSI with the US Special Counsel or congressional staffers, before providing the information must I first consult the three parties listed in MD 12.6:
NRC office originating the information Office that has primary interest in the information Source from which the information was derived
- 4) If I am writing a letter regarding how the Office of Nuclear Reactor Regulation Is inappropriately stamping safety-related correspondence as "Security-Related Information", and if I am sending that letter to the U5 NRC Chairman and copying it to concerned congressional offices, and If I do not believe that marking the letter is essential to ensure proper handling and to ensure all persons having access to the letter will be aware that It (1) must not be publicly released and (2) must be distributed only to those who have a need-to-know to conduct official business, then am I in violation of MD 12.6 because I did not stamp the letter "Official Use Only-Security-Related Information"?
I was asked by a congressional staffer last month whether I believed the "Security-Related Information" stamps were hindering the open discussion of the Jocassee Dam/Oconee issue amongst the NRC staff. His concern was based on the fact that some of NRR's Jocassee Dam correspondence contain the stamp "Limited Internal Distribution Permitted". My answer to him was that, although I believed these stamps were inappropriately keeping a serious safety concern from public scrutiny, these markings were not in any way hindering the professional Internal discussion of concerns regarding Jocassee Dam. Based on what I have read in MD 12.6 tonight, I do not know if I still agree with that answer. When 16
possible, I would like to meet with you regarding the four questions above. Also, I have had people within the NRC request to see my 2012-09-18 letter to the chairman but I have been unwilling to share it with anyone since being told I was violating SUNSI guidance by not properly stamping it OUO - SRI. I would like to review that letter with you and get your assessment as to how it should be stamped.
R, Larry From: Criscione, Lawrence sent: Thursday, October 25, 2012 5:50 PM To: cardenas, Daniel
Subject:
RE: Information Release The version of MD 12.6 that is linked to in the SUNSI website is from December 20, 1999. Is this the version I am supposed to review or Is there a more current revision?
From: cardenas, Daniel Sent: Thursday, October 25, 2012 5:39 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy
Subject:
Re: Information Release Larry-If you have read and understand the SUNS! guidance, then a meeting may not be necessary. I will contact you If a meeting is necessary. In regards to transmission of SUNSI outside the NRC, please contact your supervisor as identified in MD 12.6 and follow applicable guidance located on the 01S SUNSI website.
Regards.
Dan
- Sent tirom an NRC Blackberry ~
Daniel Cardenas, Chief Facilities Security Branch Division of Facilities and Security Office of Administration U. S. Nuclear Regulatory Commission Office Email:
- I.Cardenas@nrc.gov Office Num Cell Number:
Fax Number: ~T,'..:r;:,---;rr~
From: Criscione, Lawrence To: cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy Sent: Thu Oct 25 17:31:31 2012
Subject:
RE: Information Release
- Daniel, 17
My Outlook calendar is up to date through the end of the year. I should be able to review MD 12.6 and the other guidance by tomorrow morning.
The only personnel outside the NRC to whom I have provided "Official Use Only - Security Related Information" are either with the Office of the Special Counsel, staffers of US Senators or staffers of members of the US House of Representatives. I will not release any additional Information to the Office of the Special Counsel or to members of the US Congress until I have met with you.
Please send me a copy of the NRC Form 183 mentioned below so that I may review it prior to our meeting.
Is my union steward allowed to accompany me to the meeting?
V/r, Larry Criscione 573-230-3959 From: cardenas, Daniel sent: Thursday, October 25, 2012 5:01 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen
Subject:
Information Release Importance: High Mr. Criscione-I have received a NRC Form 183 "Report of Security Incident" indicating that you have released information (Official Use Only - Security Related Information, etc) to personnel outside of the NRC. This release of information must "stop" Immediately. The guidance for handling Sensitive Unclassified non-Safeguards Information (SUNSI) is identified In MD 12.6 and on the OIS webpage. Please see the following link, which provides detailed information on the handling of this type of Information.
http://www...Jmernal.nrc.gov/sunsi/
If you have released any other information, you must cease these activities, and report the releases to the Director, Division of Facilities and Security.
Please schedule a time to discuss this matter with me.
Regards.
01nlcl Canlen11 Chief, ~ac1li1ics Security Branch l)j\\*1sion of Facilities and Security, Office of Adminisuution Locnrion: T6-f'3 I Office Email: Da11ief.CQ(den11s" nrc.xuv Omce Number. 1301)415::§184 NRC Black:.bcrry!fb)/61 NRC FaK: (301) "",~
s-.a;,s;.,,
1 3""
2 __
18
From:
Sent:
To:
Subject:
Gentlemen, Gagnon, Ronald Tuesday, March 03, 2015 9:16 AM Norman, Robert; Adler, James FW: Need-to-Know requirements for SUNSI Good morning. I thought that I would share the exchange below since part of what is discussed will soon fall under CUI.
Ron Ronald E. Gagnon CUI Program Manager IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Criscione, Lawrence Sent: Tuesday, March 03, 2015 8:57 AM To: Correia, Richard; West, Steven Cc: Janney, Margie; Sullivan, Randy; Perkins, Richard; Bens!, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; Cardenas, Daniel; Gagnon, Ronald
Subject:
RE: Need-to-Know requirements for SUNSI Steve/Rich, Once again, my direct questions on SUNSI were side-stepped. Other than items 1.d and 2. c below, I did not get answers but rather a re-iteration of obfuscated policies Items 1.a, 1.b, and 1.c were dished off to you (i.e. my office leadership). Please provide me answers:
1.a) Who are the subject matter experts for flooding and dam failures?
1.b) What document designates them as such?
1.c) What guidance do they use to determine what is sensitive and what is not?
If you cannot answer these questions, it's likely because there is no appointed authority and guidance for determining what is and what is not SUNS! with regard to flooding/dam failure information. That is, we are not professionally addressing this issue but are rather just conservatively caving in to "speculative or abstract fears" instead of diligently balancing wide and open discussion of significant nuclear safety issues (e.g. a Fukushima scenario in South Carolina or Nebraska) against realistic terrorist capabilities and threats.
I find it disturbing that item 2.a cannot be directly answered. The answer should be: per federal law (5 USC
§7211) Congressional offices have a de-facto right to information that is not otherwise legally restricted. That is, the right of Congress to receive information is vividly clear in 5 USC §7211 and as long as the sharing of that information does not conflict with other federal laws which the Congress has passed (e.g. laws limiting the distribution of Special Compartmentalized Information) then the information can be directly shared with any Congressional office (i.e. Congressional offices have a de-facto "need-to-know" with regard to SUNSI). I find it troubling that no one is willing to give me this answer. By failing to give me this answer, I am unsure as to whether or not I am allowed-if I feel a significant nuclear safety issue is not be adequately addressed-"to petition Congress or a Member of Congress, or to furnish information to either House of Congress, or to a committee or Member thereof. Please clarify whether or not the technical staff needs to obtain any permissions-such as permission from either their chain of command or from the Office of Congressional Affairs-prior to sharing information with a Congressional office.
Item 2.b is about internal need-to-know as it relates to SUNSI. Late last year, Richard Perkins shared a document with me that pertained to guidance provided for using Exemption 5 (pre-decisional information) in preparing documents for release under the FOIA. That guidance was marked "Attorney-Client Privilege" (a form of SUNSI). Note that I did not need "access to specific information to perform or assist in a lawful and authorized governmental function". That is, I was not assigned to work on a FOIA that required use of the guidance. Richard shared it with me because he was concerned the guidance was illegal and he wanted my opinion. Did he violate "need-to-know"?
I have never been assigned any work pertaining to addressing flooding at nuclear power plants. Yet many of the people copied on this email have discussed SUNSI documents with me pertaining to that issue. Are they violating "need-to-know"? If so, how are they to determine with which of their colleagues can they discuss this nuclear safety issue? How are they to "make a determination that a prospective recipient requires access to specific information to perform or assist in a lawful and authorized governmental function"? For example, how is someone from NRR to know whether or not I have been authorized to work on flooding? Are they to contact my branch chief prior to having any discussion with me? And what then when they are told I am not assigned to work on any flooding issues? Are they allowed to collegially get my opinion on the documents anyway? Or is this nuclear safety information to be silo'd in the same manner that Special Compartmentalized Information concerning military operations is rightfully silo'd? These are not rhetorical questions. Please provide me answers. Are we allowed to get our colleague's opinions on issues to which they were not formally assigned?
Finally, if these are truly matters that should be decided at the office level (as Ron Gagnon indicated in his response below) then I would like to volunteer to become the RES subject matter expert on security issues surrounding flooding and dam failure-assuming my branch chief would support that. I will gladly determine what federal courses and workshops are available concerning the determination of security sensitivity and regarding open government initiatives. I can attend those workshops and develop guidance that diligently balances the public's right to know about significant nuclear safety issues against any legitimate security concerns that might exist.
V/r, Larry From: Gagnon, Ronald Sent: Monday, March 02, 2015 1:49 PM To: Criscione, Lawrence Cc: Janney, Margie; Correia, Richard; Sullivan, Randy; Perkins, Richard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; Cardenas, Daniel
Subject:
RE: Need-to-Know requirements for SUNSI
- Larry, Please see my replies adjacent to your questions.
2
Thank you, Ron Ronald E. Gagnon OIS / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Criscione, Lawrence Sent: Friday, February 27, 2015 3:23 PM To: Gagnon, Ronald Cc: Janney, Margie; Correla, Richard; Sullivan, Randy; Perkins, Richard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulnlers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; Kirng, Mark; Burton, lhomas; Peters, Sean; Cardenas, Daniel
Subject:
RE: Need-to-Know requirements for SUNSI Thanks Ronald. I've copied some colleagues on this email so they can see your answer below and so that they might contact you if they have their own questions about it.
I've highlighted two items below that are still unclear (subject matter expert and need-to-know determination):
1.a) Who are the subject matter experts for flooding and dam failures? Check with your office leadership.
1.b) What document designates them as such? Check with your office leadership.
1.c) What guidance do they use to determine what is sensitive and what is not? Check with your office leadership, (reference internal NRC SUNSI, SGI, Classified guidance).
1.d) If you disagree with their determination, is there an appeal process?
As you probably already know, NRC has a mechanism in place where differing professional opinions can be discussed and resolved. The NRC Differing Professional Opinions Program, Management Directive 10.159 states the following objectives: To foster informal discussions with peers and supervisors on issues involving professional judgments that may differ from a currently held view or practice, To establish a formal process for expressing differing professional opinions (DPOs) concerning issues directly related to the mission of NRC, To ensure the full consideration and prompt disposition of DPOs by affording an independent, impartial review by knowledgeable personnel, To ensure that all employees have the opportunity to (a) express DPOs in good faith, (b) have their views heard and considered by NRC management, and (c) be kept fully informed of the status of milestones throughout the process, To protect employees from retaliation in any form for expressing a differing opinion, To recognize submitters of DPOs when their DPOs have resulted in significant contributions to the mission of the agency, To provide for agency-wide oversight and monitoring, to ensure that implementation of these procedures accomplishes the stated objectives, and to recommend appropriate changes when required.
2.a) For SUNSI, do we (i.e. the technical staff) need to obtain our supervisor's permission prior to shanng information with a Congressional office? This question is outside the scope of SUNS!. Please check with your leadership for official NRC policies regarding communications with Congress. The Office of Congressional Affairs should be able to articulate current policies regarding this question.
3
2.b) For SUNSI that is related to nuclear safety issues or to agency policies on applying FOIA redactions (i.e. not PII, allegation material, or other highly specific forms of SUNSI that have nothing to do with typical NRC correspondence and reports) do we need our supervisor's permission prior to discussing the information with our NRC colleagues who are not formally assigned to work on the issue? That is, can I share nuclear safety information with my NRC co-workers even though that information has been designated SUNSI and they have not been formally assigned to work on the issue? Please check with your leadership and the FOIA office (if you have a FOIA redaction question). As you are aware, in addition to having authorized access to SUNSI information there is a need to know component to SUNSI. In order to allow access to another party, an authorized holder of SUNSI information must make a determination that a prospective recipient requires access to specific information to perform or assist in a lawful and authorized governmental function.
2.c) If I can get to it in ADAMS, can I assume I have a de-facto right to know it? Perhaps, but not exclusively. For example, if a document has been mistakenly categorized/ entered into ADAMS it does not give an employee the right to view or distribute it without the proper access credentials. If a government employee came across a classified document on-line through a Google search, that government employee is not authorized access unless they have the proper clearance and need to 1know, even though the document is easily available to anyone searching for it. If not, how do I determine that I have accessed a document that I have no right to see and to whom do I report it? One way to report a document spill would be by advising your supervisor and accessing the following link:
http://www.internal.nrc.gov/incident.html (please note that other notifications may be necessary depending on the type of spill).
R/
Larry From: Gagnon, Ronald Sent: Friday, February 27, 2015 2:15 PM To: Criscione, Lawrence Cc: Janney, Margie; Correla, Richard
Subject:
RE: Need-to-Know requirements for SUNS!
Good afternoon Larry.
It was a pleasure speaking with you this afternoon. During our conversation we explored several topics including your questions below. We discussed the Controlled Unclassified Program (CUI) and how it would consolidate the SUNSI and SGI programs at the NRC, and how it would offer a government-wide, uniform way of handling sensitive unclassified information. Your asked the following SUNSI related questions:
If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document, must my new document now be marked as SUNSI?
Derivative products should always be marked to ensure that the sensitive information in the document is fully protected according to agency policy. If the document is not portion marked, then the entire document is considered SUNSI until such time as a subject matter expert determines otherwise.
Documents that are marked SUNSI and not portion marked can be reviewed by the originator to determine which portion is sensitive, ie. 2.390 information. A derivative document using any information from a SUNSI document that is not portion marked must have the referenced portion marked as SUNSI.
- 2. How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe is inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That 4
is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo-ed" into a tightly controlled group of individuals who are officially assigned to address the issue?
Need-to-know typically means a determination made by an authorized holder of information that a prospective recipient requires access to specific information to perform or assist in a lawful and authorized governmental function. This determination would be made by the leadership elements in the office where the work is performed.
Please let me know if I can be of further assistance.
Thank you for your questions, Ronald E. Gagnon OIS / PMPO / IPB United Stales Nuclear Regulatory Commission One While Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: SUNSI Resource Sent: Wednesday, February 25, 2015 7:44 AM To: Gagnon, Ronald; Janney, Margie
Subject:
FW: Need-to-Know requirements for SUNSI From: Criscione, Lawrence Sent: Wednesday, February 25, 2015 7:44:21 AM To: SUNSI Resource Cc: Correia, Richard; Peters, Sean; Perkins, Richard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; King, Mark; Burton, Thomas; Patterson, Malcolm; Kanney, Joseph
Subject:
Need-to-Know requirements for SUNSI Auto forwarded by a Rule SUNS! Resource:
I have some questions regarding SUNSI which my division director has been attempting to help me get answered. He provided me the following references but neither of them address the questions I have:
NRC's SRI guidance: http://www.internal.nrc.gov/sunsi/securitv.html FAQs available on the SUNSI website addr,ess commonly requested topics:
http://www.internal.nrc.gov/sunsi/faq.html My questions are:
5 i'
I ;*
1 If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document. must my new document now be marked as SUNSI?
- 2. How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe is inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo-ed" into a tightly controlled group of individuals who are officially assigned to address the issue?
Also, I have some comments about the "SUNSI Awareness Training* linked to from the SUNSI "Frequently Asked Questions" website (and attached to this email). On slide 6 a colloquial definition of SUNSI is provided as:
"Or put another way... If information appeared on the front page of the Washington Post and you cringe when you see it.... It's probably sensitive*.
I believe that:
The above definition is deleterious to our goals of openness and transparency Unfortunately, your colloquial definition is broadly used within the NRC. That is, it is my experience that most SUNSI material is marked that way because if it *appeared on the front page of the Washington Post it would make us cringe.
I'm not the only NRC employee who has been asking these questions. How we determine SUNS! is a concern shared by several of my colleagues.
Larry Lawrence S. Criscione 573-230-3959 Sent:
ne ay, ruary 18, 2015 3:48 PM To: Criscione, Lawrence Cc: Peters, Sean; Madden, Patrick
Subject:
RE: OIG Case 13-001 and QUO-SRI
http://www.internal.nrc.gov/sunsi/security.html as a source of information. Please take a look at the information at the link and let me know if it has the information you are seeking.
Regards (b)(7)(C) 6
From: Criscione, Lawrence Se
- uary 12, 2015 11:28 AM To: (b)(?)(C)
SUbJ se 13-001 and OUO-SRI Thanksl(b)(7)(C) I Daniel Cardenas referred me to Admln but did not give me the name of a contact.
urs ay, e ruary 12, 2015 9:08 AM To: Criscione, Lawrence
Subject:
RE: OIG Case 13-001 and OLIO-SRI Let me make some phone calls Larry (b)(?)(C)
From: Criscione, Lawrence
~ ~ ~
nesd:~ February 11, 2015 1:48 PM Su~ e~'G"'C se1.loo1 and OUO-SRI l(b )(7)(C) I Attached is the transcript from your 2012 interview with OIG concerning Case 13-001 It was provided to me as part of a Privacy Act request and I'm sending it along to you in case you would like a copy.
Please see my email below to Daniel Cardenas. I still have a lack of understanding on OUO-SRI, mostly stemming from the fact that-unlike SGI and classified information-it (1) is not portion marked, (2) has no derivative classifiers, and (3) is applied to such broad topics that it has no well-defined need-to-know (e.g. who has a need-to-know about the Oconee flooding issues? Is it only the narrow set of NRR employees addressing It? Or is it any concerned NRC employee who might have an opinion that adds to the discussion?).
- Vlr, Larry From: Criscione, Lawrence Sen~; Wedo:esdav febTary 11, 2015 1 :37 PM To: (b)(7)(C)
Subject:
OIG Case 13-001 (b)(?)(C)
Attached is the transcript from your 2012 interview with OIG concerning Case 13-001 It was given to me as part of a Privacy Act request and I'm sending it along to you in case you would like a copy.
7
The investigation for Case 13-001 closed on September 11, 2013.
As part of the resolution to the PEER v. NRC lawsuit, the on September 13, 2013 the NRC publicly released the two documents which were the subject of the NRC Form 183 security incident which was filed against me on September 20, 2012. Those documents can be found at:
http://pbadupws. nrc.qov/docs/ML 1325/ML13256A372.pdf http://pbadupws.nrc.gov/docs/ML 1325/ML13256A370.pdf The only redactions to those documents are my home address, my cell phone number and my personal email account This indicates-to me-that I was not in error when I failed to mark these documents as "Official Use Only - Security-Related Information" Given that OUO-SRI documents are not portion marl<ed, I still have no understanding of:
- 1. How I am to determine what exactly in those documents is OUO-SRI
- 2. How-when I am preparing a downstream document which references information found in OUO-SRI documents-I am to determine the final designation of my document and who the authority is if I have questions
- 3. To whom do I appeal if I do not agree with the OUO-SRI designation of a document
- 4. How to determine who has a "need to know" with regard to OUO-SRI information R,
Larry From: Criscione, Lawrence sent: Tuesday, June 10, 2014 9:27 AM To: Correia, Richard; Weber, Michael; Sheron, Brian; Madden, Patrick; Peters, sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward
Subject:
Who Determines Need-to-Know?
Thanks Rich.
I'd like to clarify though that even if we have a precise definition, a large part of my concern Is "Who determines need-to-know?"
For example, if I am confident that a document marked "Not for Public Disclosure" can go to a congressional office, can I send it to them or must I first go through OGC and OCA?
Or, 1f I am confident that an INL contractor has a need to know proprietary information we got from INPO, can I directly send it to him or do I first need to consult with my supervisor the NRC owner of the INPO MOU, OGC, etc.?
From: Correia, Richard Sent: Tuesday, June 10, 2014 7:02 AM To: Criscione, Lawrence; Weber, Michael; Sheron, Brian; Madden, Patrick; Peters, sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward
Subject:
RE: Need Assistance from RES and NTEU
- Larry, 8
I contacted folks in the Information Security Branch of NSIR and they pointed out that "need to know" is defined in 1 0CFR73.2 for handling safeguards information. I'm not certain if it would have a similar definition for SUNS!. I'll follow up with OGC on whether need to know has a definition for SUNS!.
Rich Richard Correia, PE
- Director, Division of Risk Analysis Office of Nuclear Regulatory Research US NRC rlchard.correla@nrc.gov From: Criscione, Lawrence Sent: Monday, June 02, 2014 5:50 PM To: Weber, Michael; Sheron, Brian; Correia, Richard; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward
Subject:
Need Assistance from RES and NTEU Please see my October 25, 2012 email below to Dan Cardenas. I've highlighted several questions in that email which I never received answers to.
On October 25, 2012 I was directed to review our SUNSI guidance and to discuss it with the chief of the Facilities Security Branch. I reviewed the guidance but had some questions which, 19-months later, I still do not know the answers to.
I would like the assistance of RES management and the NTEU in obtaining answers from Mr. Cardenas. I believe I am not the only one at the NRC who is u111clear as to what exactly constitutes a "need to know" and "conducting official government business*. Better clarifying these terms, especially with regard to OIG Case 13-001 which led to a criminal referral to the Department of Justice, is in the interest of the NRC staff.
If you have advice for me as to how to obtain answers from the requisite SUNSI experts, please let me know.
Thank you, Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence Sent: Monday, June 02, 2014 5:35 PM To: Cardenas, Daniel; Ross-Lee, MaryJane Cc: Beasley, Benjamin; Peters, Sean; Correla, Richard; Sullivan, Randy; NTEU, Chapter 208; Burrows, Sheryl
Subject:
FW: Questions
- Dan, Attached to this email 1s a document entitled "Exhibit 3 to 0/G Case 13-001" which I received today in resporse to FOi~ 2014-0236. The memo 1s undated. Could either you or (b) 7)'C) please tell me the date on which (b)(7)(C) sent this memo tO!(b)(7)(C) ff Was it before or after our orr ondence in the email trail below?
On February 4, 2013 agents of the NRC's Inspector General approached the Assistant US Attorney's office in Springfield, IL and requested of them that I be indicted on federal felony charges (18 USC §1030) for obtaining 9
supposed security-sensitive information from a government database (i.e. NRC internal ADAMS) and supposedly colluding to distribute that information to the public (e.g. via a Congressional hearing). The information of concern was my September 18, 2012 letter to the NRC Chairman, the email distributing it, and the nine reference documents. These are the same documents of concern in our email trail below.
In an October 25, 2012 email (included immediately below) I asked you a series of questions regarding MD 12.6, various guidance you directed me to review (found at http://www.internal.nrc.gov/sunsi/). and an explanation of what exactly constitute "need to know" and "conducting official government business". I have highlighted those questions in the email below. The documents attached to this email refer to some of those questions.
I never received any answers to the questions I posed to you 19 months ago in the email below. And after being the subject of an OIG criminal investigation for the distribution of supposed security related documents to individuals without a supposed "need to know", I still do not know the answers to the questions I pose below.
OIG Case 13-001 has been closed for over 9 months. Please provide me answers to my questions below as I am still uncertain what exactly I can and cannot share with our Congressional overseers and the precise channels I am required to follow.
I look forward to your answers.
Thank you, Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence Sent: Thursday, October 25, 2012 9:37 PM To: cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy
Subject:
Questions
- 1) In the attached document "2005-10-26 guidance.pdrf' I've highlighted a sentence stating that portion markings are not required. However, in the document "2010-04-27 guidance.pdf' I've highlighted where it states:
When is portion or page marking required? On documents that may be released following redaction of sensitive information. If an entire page is not sensitive, place marking adjacent to the sensitive information.
I am a big believer in portion markings. It frustrates me to no end that none of the 2008-2012 OUO correspondence between the NRC and Duke Energy regarding Jocassee Dam is portion marked. This correspondence clearly meets the instructions above for requiring that the documents be portion marked. That is, the overwhelming majority of the pages in the NRC/Duke correspondence have portions that are not sensitive and this NRC correspondence with a licensee concerning a serious safety concern should certainly be released following redaction of sensitive information. Yet there are no portion markings. Which guidance is correct: the 2005-10-26 or the 2010-04-27 guidance? Should NRR's correspondence with Duke Energy from May 2010 through the present have been portion marked?
- 2) On page 2 of the attached "NRC Policy for Handling Marking and Protection SUNSl.pdf" I have highlighted a paragraph on "Need-To-Know Access". This paragraph contains the words:
10
"... no person, including employees of the U.S. Government, NRC,....... may hove access to SUNS/ unless that person has an established need-to-know the information for conducting officio/ business."
I am unclear what exactly constitutes "an established need-to-know the information for conducting officio/ business."
Some of my co-workers (particularly Richard Perkins, but many others as well) expressed concern to me that flooding Issues at Oconee Nuclear Station and Fort Calhoun were not being adequately addressed. Although it is my job (and the job of all NRC employees) to take allegations from licensees, I do not believe it is my job (i.e. "conducting official business") to take allegations from my fellow NRC co-workers. Nonetheless, I reviewed some of the source documents regarding Jocassee Dam because I was concerned with the opinions I was hearing expressed from my co-workers. It was not my job to review these documents. Most of the review of these documents occurred after normal working hours, including times when - although allowed to be in the office or on Citrix - I am not allowed to formally work (i.e. beyond 8 pm, Sundays, while using annual leave/credit hours). Since I was reviewing this information on my own time and not "for conducting official business", was I violating the "Need-to-Know.
Although I have only shared SUNSI with employees of the U.S. Government", I am not certain all of them had "an estob/lshed need-to-know the information for conducting official business":
Does a staffer on the Senate Committee on Homeland Security & Governmental Affairs have "an established need-to-know the information for conducting official business"? If he does, must I send him through the Office of Congressional Affairs? Am I violating "Need-to-Know" by directly sending him references he requested?
Does the intern for Representative Duncan of South Carolina's 3rd congressional district have "an established need-to-know the information for conducting official business" when she Is not Investigating any matter for a congressional oversight committee and I am merely copying her as a courtesy to keep her representative abreast of a concern regarding a nuclear plant in his district?
Does the Office of the Special Counsel have "an established need-to-know the information for conducting official business" when the Information Is not being formally submitted with an OSC Form 12?
Does the Downstate Director (i.e. Springfield, IL office chief) of Senator Durbin have "on established need-to*
know the information for conducting official business" when I am merely meeting with him to get his advice as to whether or not my senator would be willing to write the NRC Chairman regarding the NRC's SUNS! pollcles?
- 3) Assuming that the US Special Counsel or a congressional staffer has "an established need-to-know", I am uncertain as to what Is required by the "Access" requirements on page 5 of Part II of MD 12.6. Prior to sharing SUNSI with the US Special Counsel or congressional staffers, before providing the information must I first consult the three parties listed in MD 12.6:
NRC office originating the information Office that has primary Interest in the information Source from which the information was derived
- 4) If I am writing a letter regarding how the Office of Nuclear Reactor Regulation is inappropriately stamping safety-related correspondence as "Security-Related Information", and if I am sending that letter to the US NRC Chairman and copying it to concerned congressional offices, and if I do not believe that marking the letter is essential to ensure proper handling and to ensure all persons having access to the letter will be aware that it (1) must not be publicly released and (2) must be distributed only to those who have a need-to-know to conduct official business, then am I in violation of MD 12.6 because I did not stamp the letter "Official Use Only - Security-Related Information"?
I was asked by a congressional staffer last month whether I believed the "Security-Related lnforma tion" stamps were hindering the open discussion of the Jocassee Dam/Oconee issue amongst the NRC staff. His concern was based on the fact that some of NRR's Jocassee Dam correspondence contain the stamp "Limited Internal Distribution Permitted". My answer to him was that, although I believed these stamps were inappropriately keeping a serious safety concern from public scrutiny, these markings were not in any way hindering the professional internal discussion of concerns regarding Jocassee Dam. Based on what I have read in MD 12.6 tonight, I do not know if I still agree with that answer. When 11
possible, I would like to meet with you regarding the four questions above. Also, I have had people within the NRC request to see my 2012-09-18 letter to the chairman but I have been unwilling to share it with anyone since being told I was violating SUNSI guidance by not properly stamping it OUO - SRI. I would like to review that letter with you and get your assessment as to how it should be stamped.
R, Larry From: Criscione, Lawrence Sent: Thursday, October 25, 2012 5:50 PM To: c.ardenas, Daniel
Subject:
RE: Information Release The version of MD 12.6 that is linked to in the SUNSI website is from December 20, 1999. Is this the version I am supposed to review or is there a more current revision?
From: c.ardenas, Daniel Sent: Thursday, October 25, 2012 5:39 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy
Subject:
Re: Information Release Larry-If you have read and understand the SUNS! guidance, then a meeting may not be necessary. I will contact you if a meeting Is necessary. In regards to transmission of SUNSI outside the NRC, please contact your supervisor as identified in MD 12.6 and follow applicable guidance located on the O1S SUNSI website.
Regards.
Dan
- Sent from an NRC Blackberry -
Daniel Cardenas, Chief Facilities Security Branch Division of Facilities and Security Office of Administration U. S. Nuclear Regulatory Commission Office Email: Daniel.Cardenas@nrc.gov Office Numr-e;r C30l) 415-6lr Cell Number. l(b)(6) --------
Fax Number. (301) 415-5132 From: Crlscfone, Lawrence To: c.ardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy Sent: Thu Oct 25 17:31:31 2012
Subject:
RE: Information Release
- Daniel, 12
My Outlook calendar Is up to date through the end of the year. I should be able to review MD 12.6 and the other guidance by tomorrow morning.
The only personnel outside the NRC to whom I have provided "Official Use Only - Security Related Information" are either with the Office of the Special Counsel, staffers of US Senators or staffers of members of the US House of Representatives. I will not release any additional information to the Office of the Special Counsel or to members of the US Congress until I have met with you.
Please send me a copy of the NRC Form 183 mentioned below so that I may review it prior to our meeting.
Is my union steward allowed to accompany me to the meeting?
V/r, Larry Criscione 5 73-230-3959 From: cardenas, Daniel Sent: Thursday, October 25, 2012 5:01 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen
Subject:
Information Release Importance: High Mr. Criscione-I have received a NRC Form 183 "Report of Security lncidentH indicating that you have released information (Official Use Only - Security Related Information, etc) to personnel outside of the NRC. This release of information must "stop" immediately. The guidance for handling Sensitive Unclassified non-Safeguards Information (SUNSI) is identified In MD 12.6 and on the 01S webpage. Please see the following link, which provides detailed information on the handling of this type of information.
http:lj www. i nterna I.nrc.gov /sunsi/
If you have released any other information, you must cease these activities, and report the releases to the Director, Division of Facilities and Security.
Please schedule a time to discuss this matter with me.
Regards.
llanltl Cllrde11as Chief, Fec1liries Secunly Branch Division of Pac1ii1ics und Sccunty, Office of Admm1srra11on Location. T6-EJ I Office Email: Daniel,cardenas_a._nrc,g_ov Office Number- (JOI) 415-6184 NRC Blackbcrry((6 H6j NRC fax: (301 ) 4
\\>;1""'3-~5 """32 __
lJ
NRC Policy for Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information A.
Purpose and Scope This policy is issued to ensure that sensitive unclassified non-safeguards information (SUNSI) is properly handled, marked, and adequately protected from unauthorized disclosure.
"SUNSI" refers to any information of which the loss, misuse, modification, or unauthorized access can reasonably be foreseen to harm the public interest, the commercial or financial interests of the entity or individual to whom the information pertains, the conduct of NRC and Federal programs, or the personal privacy of individuals.
The various categories of SUNSI have been organized into the following nine groups:
Allegation information Investigation information Critical Electric Infrastructure Information (CEIi)
Export Controlled Information (ECI)
Security-related information Proprietary information Privacy Act information Federal-, State-, foreign government-, and international agency-controlled information Sensitive internal information To the extent that requirements under a section for a particular SUNSI group were already stipulated in a statute, regulation, or other directive, the requirements have been incorporated into this policy. The requirements set forth in this policy and procedures for handling allegation information come from Management Directive (MD) 8.8, "Management of Allegations." The requirements for the handling of Privacy Act information come from the Privacy Act of 1974, as amended, and MD 3.2, "Privacy Act." The requirements for marking incoming confidential commercial or financial (proprietary) information come from 10 CFR 2.390. Requirements for electronic processing, storage, destruction, and transmission of SUNSI can be found in MD 12.6.
When more than one SUNSI group applies to information, the most restrictive handling requirement of the applicable groups should be applied.
B.
Applicability NRC employees, consultants, and contractors are responsible for ensuring the procedures specified in this announcement are followed to protect SUNSI. The use of the word "contractors" includes subcontractors.
C.
Handling Requirements for SUNSI Web Address for Handling Requirements The handling requirements for SUNSI are published on the NRC internal Web site at http://drupal.nrc.gov/sunsi. The Web site contains detailed requirements for each of nine SUNSI groups in the following fourteen areas:
Applicable document categories Authority to designate Access Marking Coversheet Reproduction Processing on electronic systems Use at home o
Use while traveling orcommuting Physical copytransmission Electronic copytransmission Storage Destruction Decontrol authority D.
Generally Applicable Requirements
- 1.
Marking Each document containing SUNSI must be properly and fully marked when such markings are required for the SUNS! group. (See item 4, Marking, in the SUNSI group handling requirements http://drupal.nrc.gov/sunsi.)
- 2.
Need-To-Know Access
- 3.
- 4.
A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNS! unless that person has an established need-to-know the information for conducting official business.
If doubt exists in any particular case whether it is proper to grant access to SUNSI originating from outside the NRC, NRC contractors, or NRC licensees or applicants, consult with the originating party, the party responsible for the information, or other source from which the information is derived.
Ensuring legible markings on copies All copies must clearly show the protective markings on the original document. Markings on documents submitted for reproduction should be in black or red and dark enough to be reproduced legibly.
Packaging SUNSI for Physical Transmission
- 5.
- 6.
Material used for packaging SUNSI for physical transmission must be opaque and of such strength and durability as to provide secure protection for the document in transit, prevent items from breaking out of the container, and facilitate the detection of any tampering with the container.
Profiling SUNSI in ADAMS When a document containing SUNSI is authorized to be entered into the Agencywide Documents Access and Management System (ADAMS),
personnel entering the document must ensure that one of the sensitive values (e.g., Sensitive-Security Related - Periodic Review Required, Sensitive-Proprietary, Sensitive-Protected subject to adjudicatory order, etc.) is marked in the "Document Sensitivity" profile property and that the "Availability" profile property is marked as "Non-Publicly Available."
Identifying the appropriate document sensitivity and availability along with the markiings on the documents will aid in protecting SUNSI. It will also alert staff to the sensitivity of the document when it is requested under the Freedom of Information Act (FOIA) or the Privacy Act, thus ensuring that the document is properly reviewed under FOIA and Privacy Act exemptions standards.
Removal of Markings Normally, a document will retain its markings until the agency decides that the document will be made public either on its own discretion or in response to a FOIA request. Before releasing a document with a SUNSI marking, the marking on the copy to be released should preferably be blackened out or, at a minimum, marked through in such a way that it conveys that the marking is no longer applicable to the document. This should be done on each page containing a marking.
- 7.
Inadvertent or Unauthorized Release of SUNSI Whenever SUNSI is inadvertently released or disclosed by NRC personnel or contractors, a security incident has occurred. Some examples of SUNSl-related security incidents include leaving sensitive unclassified documents or material unattended, unsecured, or improperly stored (including on shared network drives unless access controls are applied); improper transmission of sensitive unclassified documents or material; allowing an unauthorized person access to sensitive unclassified information; and/or failure to safeguard a sensitive unclassified lock combination.
In the event of a SUNSI security incident, in accordance with MD 3.4, "Release of Information to the Public," the office director shall promptly inform the Executive Director for Operations (EDO) and the Office of the Inspector General (OIG).
In accordance with MD 12.1, "NRC Facility Security Program," NRC employees and contractors shall report all security incidents immediately following their occurrence or observed occurrence by:
- 8.
A. Completing and submitting an NRC Form 183, "Report of Security Incident." If necessary, the initial report to the Division of Facilities and Security (DFS) may be made orally but must be finalized in writing by submitting an NRC Form 183 to DFS. A report should not contain any SGI or classified information unless the report is protected according to the level of information involved when transmitted or verbally communicated to DFS through an authorized secure telecommunications system or secure information technology (IT) system. A security incident may be initially reported by telephone to 301-415-6885, or online at http:// d ru pal. nrc. gov/ content/report-safety-or-security-incident.
B. A contractor shall immediately report a security incident to DFS and send a copy to the NRC project officer and/or Contract Officer Representative (COR) and the regional security advisor, if appropriate. The report must include the details of the incident, as well as the name of the person who committed it. If the contractor does not have the capability to complete and submit the NRC Form 183, the COR must do so on behalf of the contractor.
G. The NRG Form 183 must contain the following:
- 1) The full name of the individual involved;
- 2) The individual's office and title or if a contractor, the company and COR's name;
- 3) The classification of the information involved, but not the vulnerability if it has not been corrected; and
- 4) The date, reason or cause, and nature of the incident.
Consequences of non-compliance with protecting SUNSI Consequences of non-compliance with protecting SUNSI may include:
A. Removal of system access for a specified period of time; B. Mandated training regarding the information about the specific security incident; and/or C. Possible disciplinary action up to and including removal from Federal service or the contract. (See MD 12.1, "NRC Facility Security Program,"
and MD 12.5, "NRG Gybersecurity Program").
- 9.
Release of Information to the Public Each document considered for routine release to the public by the agency must be reviewed to determine whether the document is releasable under NRG policy (see MD 3.4, "Release of Information to the Public"), including application of screening criteria for determining if information should be withheld from public disclosure because it could reasonably be expected to be useful to a potential adversary. (See http://drupal.nrc.gov/sunsi/34661 ).)
Each document requested by the publiic via FOIA or the Privacy Act must be reviewed to determine whether the document, or part thereof, is releasable or is exempt from public disclosure. (See MD 3.1, "Freedom of Information Act" and MD 3.2, "Privacy Act.")
- 10.
The presence or absence of cover sheets or markings as "Allegation Information," "Investigation Information," or similar markings, does not determine whether a document may be withheld from the public. Whenever an NRC employee has a question regarding the releasability of information, the employee should consult with the employee's supervisor or-
- The Governance & Enterprise Management Services Division (GEMSD), Office of the Chief Information Officer (OCIO) if a request for information involves the Freedom of Information Act (FOIA) or the Privacy Act. (See MD 3.1, "Freedom of Information Act" and MD 3.2, "Privacy Act.")
The Office of Enforcement (OE) regarding allegation information.
The Office of Investigations (01) regarding 0 1 investigation information.
The Office of the Inspector General (OIG) regarding OIG investigation information.
The Office of Nuclear Reactor Regulation (NRR) or the Office of Nuclear Material Safety and Safeguards (NMSS), as appropriate, on whether a document contains 10 CFR 2.390(d)(1) information.
The Office of the General Counsel (OGC), or appropriate regional counsel, on legal questions.
Other Government and International agencies should be consulted before documents bearing restrictive markings or containing SUNSI of primary interest to them are released to the public.
"No Comment" Policy for SUNSI Should SUNSI appear in the public domain (e.g., newspapers) prior to the agency's official release of that information and should an NRC employee be contacted by an organization outside of the agency to confirm or deny either the accuracy or sensitivity of the released information, the NRC employee should respond to such a request with a "no comment" statement. If an NRC employee has any questions about how to handle a request for comment about an unauthorized release of SUNSI, the employee should consult with the employee's supervisor or the originator of the information.
- 11.
Security Preparations Required for Hearings, Conferences, or Discussions NRC personnel, NRC consultants, NRC contractor personnel, and others (e.g., bidders) who arrange or participate in hearings, conferences, or discussions (see MD 3.5, "Attendance at NRC Staff Sponsored Meetings")
involving SUNSI shall-
- Ensure before a hearing, conference, or discussion that participating personnel are identified and are authorized to have access to the information to be discussed.
- Inform participating personnel that the specific information they will receive is SUNSI and advise them of the protective measures required.
- Ensure that no discussion takes place that is audible or visible to persons not authorized access to the information.
6
8/3/2020 Security-Related Information I NRC Intranet You are here: Home,, Offices >> SUNSI "JO Security~Related lnft:1rmation Security-Related Information CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc.gov19 Table of Contents
- ,.d:eP.l!~a,~le,.. ~<l.. ~.~~-~~!... 9.~~..l!ori_e,,~.
- ~ -~rki.~g
- Use at Home "Mm........... _,.*U~U*,m**"
- Authority to Designate
- Cover Sheet
- Use While Traveling or Commuting_
- Access
- -~e,p_rod~~ti,CJ~.
- .~hysi~a,I _C_opy Tra_~s.m,is~lo_~.
- Need-to-Know Controls
- Processing on Electronic Systems
- Electronic Copy Transmission
- Stora&e
- Destruction
- Decontrol_ Authority APPLICABLE DOCUMENT CATEGORIES 10 CFR 2.390 Information Information that could be useful, or could reasonably be expected to be useful to a terrorist In a potential attack that does not qualify as Safeguards or Classified Information (see Staff,Guidancefor _Screenlng Documents.. that_Could.. be_ Useful, to a Terrorist)
AUTHORITY TO DESIGNATE NRC-Orlglnated Information: The originator proposes and the signer approves designation.
Information Received by NRC: The office principally responsible for the information.
ACCESS Who may have access?
NEED-TO-KNOW CONTROLS Do Need-to-know controls apply?
https://drupal.nrc.gov/sunsi/34643 TOP NRC staff, contractors, or consultants who have a need-to-know the information to perform their official duties.
il TOP o Need-to-know controls must be applied to the information.
o Recommend the establishment of pre-designated user groups that exclude administrative, other select Offices and/or groups that do not have an obvious mission need from access.
ADAI 1/5
8/3/2020 MARKING What documents should be marked?
Who may authorize document marking?
How should a document be marked?
When Is portion or page marking required?
COVERSHEET When should a cover sh eet be used?
What cover sheet Is used?
REPRODUCTION How many copies may be made?
Security-Related Information I NRC Intranet TOP Mark all pages of all documents.
Originator, supervisor, or principal recipient.
NRC-Gene*rated Documents: Mark the top and bottom of each page -
"Official Use Only - Security-Related Information."
Documents Generated by Licensees, Applicants, Contract ors or Other Outside Persons/Organizations Subject to NRC Jurisdiction: Mark the top of each page -
"Security-Related Information - Withhold Under 10 CFR 2.390."
If an entire page of a document containing OUO-SRI contains other categories of Information, Including non-sensitive information.
On document s that may be released following the redaction of sensitive information.
The following criteria apply when considering whether a document contains nuclear/ security-related Information (see ~rit_etla.f~r..~.~cl.~~E(Se~~Eity:_~el~.~~d. lnf~r.rri.~~o.n..... ).
Not applicable.
Not applicable.
TOP Reproduction is limited to the number of copies needed for official use unless stated otherwise on the document.
Coples mu1st clearly show the original markings.
Note: Where restrictions are imposed on reproduction, the employee must also ensure that there are no non-authorized copies residing in electronic systems, such as on the network drive, local hard drive, printers, copiers, or any other electronic medium.
PROCESSING ON ELECTRONIC SYSTEMS On what Information systems may the document be processed?
Is encryption required while data Is at rest?
May the information be https://drupal.nrc.gov/sunsi/34643 NRC LAN and other systems authorized to operate by the NRC under M_D 12.5, -NRC Cyber Security Program.
0MB has directed that all sensitive information be encrypted using only NIST-certified cryptographic modules both at rest and during transmission. NRC automatically encrypts data at rest and during transmission within NRC facilities. Any SUNS! that is outside of NRC facilities must be encrypted at rest.
Security-Related Information may be entered into the ADAMS Main Library and must be profiled as Non-2/5
8/3/2020 processed In ADAMS?
USE AT HOME M ay I use the document at home?
May I use the Information at home under the NRC FleKlble Workplace Program?
Security-Related Information I NRC Intranet Publicly Available and Sensitive. Assign access rights to user groups with a need to access the information t o perform t heir official duties. ADAMS Sensitivity Code: A.3 - Sensitive-Security-Related - Periodic Review Required Yes. Abide by the following requirements.
Employees are prohibited from using, handling, and storing the information at their residences and on personally owned devices or sending information to non-NRC email addresses (e.g., personal email accounts).
Occasiona l use at an employee's residence requires approval of the employee's immediate supervisor or above.
To ensure that the information is not viewed or accessed inadvertently or willfully by a person not authorized access, the employee must ensure that the information cannot be seen by a family member, guest, or any other individual who is not authorized access.
Employees who work at home must perform electronic processing of SUNSI on either (1) a home computer within the virtual environment provided by the agency through CITRIX, (2) an NRC-issued laptop with NRC-approved encryption software, or (3) using an NRC authorized solution such as BYOD.
Employees are expressly prohibited from processing SUNSI on personally owned computers. even when an encrypted storage media is employed.
It Is discouraged to take hard-copy material to private residences. If hard copy material is taken home, it must be returned to an NRC facility and stored and/or destroyed according to the Instructions provided in this guidance.
Yes. Abide by the following requirements.
Employees are prohibited from using, handling, and storing the information at their residences and on personally owned devices.
If you are approved to work at home under the NRC FleKlble Workplace Program, use in accordance with standards set forth in NRC Form 624, Flexible Workplace Program Participation Agreement.
To ensure that the information is not viewed or accessed inadvertently or w illfully by a person not authorized access, the employee must ensure that the information cannot be viewed by any other individual who Is not authorized access.
Employees are prohibited from processing SUNSI on personally owned computers unless connected to and working within CITRIX, the NRC Broadband Remot e Access System. Employees are prohibited from downloading or storing SUNS! to the hard drive of a personally owned computer when connected to and working within CITRIX. Employees are also expressly prohibited from processing SUNSI on personally owned computers even when an encrypted storage media is employed.
Employees who work at home must perform electronic processing of SUNSI on either (1) a home computer within the virtual environment provided by the agency through CITRIX, (2) an NRC-issued laptop with NRC-approved encryption software, or (3) using an NRC authorized solution such as BYOD.
USE WHILE TRAVELING OR COMMUTING May I use the information while on officla I travel or commuting to or from work?
https://drupal.nrc.gov/sunsi/34643 Yes. Abide by the following requirements:
Use of the information is discouraged while traveling on public t ransportation. To ensure that the information is not viewed or accessed inadvertently or willfully, the employee must ensure that it cannot be seen by persons not authorized access. Particular care should be taken on a public conveyance or in waiting rooms where others may be sitting and standing in close proximity to where the information is being used.
Individuals should hand carry protected information during t ravel only if other means for transmitting the information, (e.g., mailing ahead, secure information sharing), are not readily available or are operationally unacceptable. If hand carrying is determined to be the best transport method, care must be exercised to ensure that the information is not compromised through loss or inadvertent access.
3/5
8/3/2020 PHYSICAL COPY TRANSMISSION M ay I transmit paper or electronic media Including CD-ROM, disk or tape?
Security-Related Information I NRC Intranet Information must be kept in t he traveler's personal possession to extent possible, and stored, appropriately wrapped as to reveal evidence of tampering, in hotel security facilities if possible.
Information must not be saved/stored on a personally owned computer. Work must be performed on an encrypted laptop computer or other encrypted mobile IT device authorized for use per MD _12._S, to preclude unauthorized access if the laptop or device is lost or stolen.
The information should be returned to an NRC authorized storage location at the earliest possible opportunity.
i ror*
Yes. Abide by the following requirements:
Inside the NRC (Including Regions): Information may be -
Hand-carried.
Sent via NRC's interoffice mall system.
Sent via NRC pouch service between headquarters and the regions. Transmit in a single opaque envelope.
Sent via approved commercial express carriers between headquarters and the regions (time-sensitive material only; use NRC Form 420). Transmit In a single opaque envelope.
Outside the NRC: Information may be transmitted by -
NRC Messenger/NRC contractor messenger.
U.S. Postall Service: First Class Mall, Registered Mall, Express Mall, Certified Mall. Request tracking service where available.
Hand-carried by any individual authorized access to the information. That individual shall re*taln the Information In his or her possession where possible unless they place t he document In the custody of another person authorized access.
Approved commercial express carriers (time-sensitive material only; use NRC Form 420); Transmit in single opaque envelope. Request tracking service where available.
Other means approved by 01S and the Director, Division of Facilities and Security, ADM.
Incoming to the NRC: Electronic submissions, including CD-ROMs, submitted to the NRC should follow the E-Rule "Gulclance for Electronic Submission to the Agency," available on NRC's external Web site at:
(http://www. n re. gov/site-he Ip/electronic-sub-ref-mat. htm I).
Encryption:
All electronic media (CD-ROM, disk, tape, hard drives, thumb drives, etc.) must be encrypted In accordance with MD 12.5.
ELECTRONIC COPY TRANSMISSION M ay I transmit t he document electronically by e-mail or fax?
https://drupal.nrc.gov/sunsi/34643 Yes. Abide by the following requirements:
Inside the NRC (including Regions): Information may be emailed or faxed.
Outside the NRC: Electronic transmissions (e.g., e-mail, fax) outside the NRC must be encrypted in accordance with MD 12.5.
Please follow the guidance outlined in the Office of the Chief Information Officer issued announcement dated_ August_9, 2017.
Use of portals t hat encrypt the information during t ransmission, such as "BOX" are highly encouraged.
Electronic files must contain appropriate markings.
IOP 4/5
8/3/2020 Security-Related Information I NRC Intranet STORAGE Inside the NRC (Headquarters and Regional Offices): Store in non-locking or locking container at the end of each business day or when not in use.
Outside the NRC (Resident Inspector Sites): Store in key locked desks or other key locked containers.
On NRC Electronic Systems: May be stored on NRC encrypted computer systems that are authorized to operate under MD 12._S.
For storage requirements of other Federal, State, Foreign Government, and International Agency controlled information use their guidelines
(?~~).
i TOP DESTRUCTION Official Record Version: Destroy in accorda nce with NRC Comprehensive Records Disposition Schedule (NUREG-0910).
Non-Official Record Coples: Destroy as indicated below:
Using an ADM/DFS approved shredder that has been approved to destroy Classified Information, Safeguards Information, SUNSI, and Controlled Unclassified Information (CUI).
Placed In a Sensitive Unclassified Waste Disposal Containers.
Tear Into one-half Inch pieces or smaller (In all dimensions) and dispose of In a waste receptacle.
Burning, pulping, pulverizing, or chemical decomposition.
Electronic Data: Use NRC authorized destruction methods in accordance with MD 12.5.
ro, DECONTROL AUTHORITY Originating office or office primarily responsible for the information.
TOP https://drupal.nrc.gov/sunsi/34643 5/5
8/3/2020 Sensitive Internal Information I NRC Intranet You are here: Home,, Offices >> SUNSI "JO Sensitive Internal Information Sensitive Internal Information CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc.gov19
- ,.d:eP.l!~a,~le,.. ~<l.. ~.~~-~~!... 9.~~..l!ori_e,,~.
- Authority to Designate
- Access
- Need-to-Know Controls
- Stora&e
- Destruction
- Decontrol_ Authority APPLICABLE DOCUMENT CATEGORIES Attorney-Client Privilege Attorney Work Product Table of Contents
- ~ -~rki.~g
- Cover Sheet
- -~e,p_rod~~ti,CJ~.
- Processing on Electronic Systems
- Use at Home "Mm........... _,.*U~U*,m**"
- Use While Traveling or Commuting_
- .~hysi~a,I _C_opy Tra_~s.m,is~lo_~.
- Electronic Copy Transmission Includes any predeclslonal Information that rises to a level of sensitivity to justify It being protected as SUNSI. As such SIi inciudes predeclslonal enforcement information but can also Include other types of predeclslonal Information. A subject matter expert should make a de termination whether the specific predecisional Information rises to a level that requires protecting It as SUNS!.
Information submitted to the Commission marked "Sensitive" Information Systems Vulnerability Information (information that, if not protected, could result In adverse effects to Information systems)
Sensitive
- Not For Distribution (Except to Commission Adjudicatory Employees In Accordance with 10 CFR 2.348)
Source selection Information other than proprietary Information i TOP AUTHORITYTO DESIGNATE For NRC originated information, originator proposes - signer approves.
For NRC received information, office principally responsible for t he information.
ACCESS Who may have access?
NRC employees or NRC contractor employees w ho have a need-to-know the information to perform their https://drupal.nrc.gov/sunsi/34644 ADAI 1/6
8/3/2020 NEED-TO-KNOW CONTROLS Do Need-to-know controls apply?
MARKING What documents should be marked?
Who may authorize document marking?
How should a document be marked?
When Is portion or page marking required?
COVER SHEET When should a cover sheet be used?
What cover sheet Is used?
REPRODUCTION How many copies may be made?
https://drupal.nrc.gov/sunsi/34644 Sensitive Internal Information I NRC Intranet official duties.
i TOP o Need-to-know controls must be applied to the information.
o Recommend the establishment of pre-designated user groups that exclude administrative and other selected Offices without an obvious mission need from access.
TOP Mark all pages of all documents.
Originator, supervisor, or principal recipient.
Mark at top and bottom of each page.
Mark as "Official Use Only - Sensitive Internal Information" OR use more specific markings, as Illustrated in t he following examples:
For Attorney-Client Privilege: "Official Use Only** Attorney-Client Privilege" For Attorney Work Product: "Official Use Only - Attorney Work Product" For Predecisional Enforcement Information: " Official Use Only - Predeclslonal Enforcement Information" For Adjudicatory Material: "Official Use Only - Adjudicatory Mat erial" If an entire page of a document containing OUO-SRI contains other categories of Information, including non-sensitive information.
On documents that may be released following the redaction of sensitive information.
The following criteria apply when considering whether a document contains nuclear/security-related information (see ~t.it ~_r.i,3..!?r.. N.ucl~~_r./Se~~Ei!t.~-~l~~~-~. lnf9.r..!:f13..~.~-n,....., ).
TOP Not required.
Note: Use of the green "Official Use Only" cover sheet has been discontinued.
Not applicable.
I TOP Reproduction is limited to the number of copies needed for official use unless document contains restrictions.
Copies muist clearly show the original markings.
2/6
8/3/2020 Sensitive Internal Information I NRC Intranet Note: Where restrictions are imposed on reproduction, the employee must also ensure that there are no non-authorized copies residing in electronic systems, such as on the network drive, local hard drive, printers, copiers, or any other electronic medium.
I TOP PROCESSING ON ELECTRONIC SYSTEMS On what Information systems may the document be processed?
Is encryption required while data Is at rest?
May the Information be processed in ADAMS?
USE AT HOME May I use the document at home?
May I use the https://drupal.nrc.gov/sunsi/34644 NRC LAN and other systems authorized to operate by the NRC under M_D_l2.5, "NRC Cybersecurity Program."
0MB has directed that all sensitive information be encrypted using only NIST-certified cryptographic modules both at rest and during transmission. NRC. automatically encrypts data at rest and during transmission within NRC facilities. Any SUNSI that is outside of NRC facilities must be encrypted at rest.
Sensitive Internal Information may be entered Into the ADAMS Main Library and must be profiled as Non-Publicly Available and Sensitive. Assign access rights to user groups with a need to access the information to perform their official duties. ADAMS Sensitivity Code: A. 7 Note: Sensitive Internal Information has two (2) sub-categories within the A.7 sensitivity code. Therefore, you must select the proper A.7 based on the following criteria:
Sensitive Internal Information
- No Periodic Review Required - contains attorney-client privilege, attorney work product, or predecisional enforcement information.
Sensitive Internal Information - Periodic Review Required - contains all other Sensitive Internal Information IOP Yes. Abide by the following requirements:
Employees are prohibited from using, handling, and storing the Information at their residences and on personally owned devices or sending information to non-NRC email addresses (e.g., personal email accounts).
Occasiona l use at an employee's residence requires approval of the employee's Immediate supervisor or above.
Electronic work from home must use an NRC computer or an NRC authorized capability, such as BYOD or CITRIX.
To ensure that the information is not viewed or accessed Inadvertently or willfully by a person not authorized access, the employee must ensure that the information cannot be seen by a family member, guest, or any other individual who Is not authorized access.
Employees are prohibited from processing SUNSI on personally owned computers unless connected to and working within CITRIX, the NRC Broadband Remote Access System. Employees are prohibited from downloading or storing SUNSI to the hard drive of a personally owned computer when connected to and working within CITRIX. Employees are also prohibited expressly from processing SUNSI on personally owned computers even when an encrypted floppy disk, CD, DVD, or thumb drive is the storage media.
Employees who work at home must perform electronic processing of SUNSI on either (1) a home computer within the virtual environment provided by the agency through CITRIX, (2) an NRC-issued laptop with NRC*
approved encryption software, or (3) using an NRC authorized solution such as BYOD.
It is discouraged to take hard-copy material to private residences. If hard copy material is taken home, it must be returned to an NRC facility and stored and/or destroyed according to the instructions provided in this guidance.
Yes. Abide by the following requirements.
3/6
8/3/2020 information at home under the NRC Flexible Workplace Program?
Sensitive Internal Information I NRC Intranet If you are approved to work at home under the NRC Flexible Workplace Program, use in accordance with standards set forth in NRC Form 624, Flexible Workplace Program Participation Agreement.
To ensure that the information is not viewed or accessed inadvertently or w illfully by a person not authorized access, the employee must ensure that the information cannot be seen by a family member, guest, or any other individual who Is not authorized access.
Employees are prohibited from processing SUNSI on personally owned computers unless connected to and working w ithin CITRIX, t he NRC Broadband Remot e Access System. Employees are prohibited from downloading or storing SUNSI to the hard drive of a personally owned computer when connected to and working within CITRIX. Employees are also expressly prohibited from processing SUNSI on personally owned computers even when an encrypted storage media is employed.
Employees who work at home must perform electronic processing of SUNSI on either (1) a home computer within the virtual environment provided by the agency through CITRIX or (2) an NRC-issued laptop with NRC-approved encryption software, or (3) using an NRC authorized solution such as BYOD.
I IOP USE WHILE TRAVELING OR COMMUTING May I use the information while on official travel or commuting to or from work?
PHYSICAL COPY TRANSMISSION M ay I transmit paper or electronic media including CD-ROM, disk or tape?
https://drupal.nrc.gov/sunsi/34644 Yes. Abide by the following requirements:
Use of the information Is discouraged while t raveling on public transportation. To ensure that the Information is not viewed or accessed Inadvertently or w illfully, the employee must ensure that It cannot be seen by persons not authorized access. Particular care should be taken on a public conveyance or In waiting rooms where others may be sitting and standing In close proximity to where the Information Is being used.
Individuals should hand carry protected Information during travel only If other means for transmitting the Information, e.g., malling ahead, secure Information sharing, are not readily available or are operationally unacceptable. If hand carrying is determined to be the best transport method, care must be exercised to ensure that the Information is not compromised through loss or inadvertent access.
Information must be kept in the traveler's personal possession to extent possible, and stored, appropriately wrapped, In hotel security facilities If possible.
Information must not be saved/stored on a personally owned computer. Work must be performed on an encrypted laptop computer or other encrypted mobile IT device to preclude unauthorized access if the laptop or device Is lost or stolen..
The Information should be returned to an NRC authorized storage location at the earliest possible opportunity.
I IOP Yes. Abide by the following requirements:
Inside the NRC:
Electronic submissions, including CD-ROMs, submitted to the NRC should follow the E-Rule "Guidance for Electronic Submission to the Agency," available on NRC's external Web site at: (~_!\\pj/www.nrc.~2.Y.bi~~:.
help/electronic-sub-ref-mat._htm_l).
Outside the NRC: Information may be transmitted by -
NRC Messenger/NRC contractor messenger.
U.S. Postall Service: First Class Mail, Registered Mail, Express Mail, Certified Mail.
Hand-carried by any individual authorized access to the information. That individual shall re*tain the information in his or her possession to the maximum extent possible unless they place the document In the custody of another person authorized access.
Approved commercial express carriers (time-sensitive material only; use NRC Form 420); Transmit in single opaque envelope.
4/6
8/3/2020 Sensitive Internal Information I NRC Intranet Other means approved by OIS and the Director, Division of Facilities and Security, ADM.
Incoming to the NRC: Electronic submissions, including CD-ROMs, submitted to the NRC should follow the E-Rule "Guidance for Electronic Submission to the Agency," available on NRC's external Web site at:
(J;µtp_:/frtYxW:P~.c:~PY/§i\\~* p§lp/§l.~qr.9pi_c~s.Y.?:J~f:m~th~rnI,l Encryption:
All electronic media (CD-ROM, disk, tape, hard drives, thumb drives, etc.) must be encrypted in accordance with MD 12.5.
ELECTRONIC COPY TRANSMISSION M ay I transmltthe document electronically by e-mail or fax?
STORAGE Yes. Abide by the following requirements:
Inside the NRC (including Regions): Information may be emailed or faxed.
Electronic transmissions (e.g., e-mail, fax) outside the NRC must be encrypted In accordance w ith MD. 12.5 Outside the NRC: Information may be transmitted by -
Fax: May use non-secure facilities w here it is confirmed that a recipient who Is aut horized to access the Information will be present to receive the information.
E-Mail: All SUNSI Information must be encrypted during transmission outside of the Internal network as stated In ~q g_:,?: Please follow the guidance outlined In the Office of the Chief Information Officer Issued announcement dated August 9, 2017.
Use of portals that encrypt the Information during transmission, such as "BOX" are highly encouraged.
Otherwise, transmit a physical copy in the manner set forth above.
Electronic files must contain appropriate markings.
!OP Inside the NRC (Headquarters and Regional Offices): Store In non-locking or locking container at the end of each business day or when not In use.
Outside t he NRC (Resident Inspector Sites): Store In key locked desks or other key locked containers.
On NRC Electronic Systems: May be stored on NRC encrypted computer systems authorized to operate under MD,12.5.
TOF DESTRUCTION Official Record Version: Destroy in accordance with NRC Comprehensive Records Disposition Schedule (NUREG-0910).
Non-Official Record Coples: Destroy copies other than the official record version by any means that prevents reconstruction In whole or part, Including the following methods:
Using an ADM/DFS approved shredder that has been approved to destroy classified information, Safeguards Information, SUNSI, and Controlled Unclassified Information (CUI).
Placing In a Sensitive Unclassified Waste Disposal Container.
Tearing Into one-half inch pieces or smaller (in all dimensions) and dispose of in a w aste receptacle.
Burning, pulping, pulverizing, or chemical decomposition.
Electronic Data: Use NRC authorized destruction methods in accordance with MD 12.5.
TOP DECONTROL AUTHORITY https://drupal.nrc.gov/sunsi/34644 5/6
8/3/2020 Sensitive Internal Information I NRG Intranet Originating office or office primarily responsible for the information.
TOP https://drupal.nrc.gov/sunsi/34644 6/6
8/3/2020 Sensitive Unclassified Non-Safeguards Information (SUNSI) I NRC Intranet You are here: Home,, Offices >> Sensitive Unclassified Non-S~feguards Information (SUNSI)
Sensitive Unclassified Non-Safeguards Information (SUNSI)
SUNSI Is defined as any information of which the loss, misuse, modification, or unauthorized access can reasonably be foreseen to harm the p-ublic interest, the commercial or financia l interests of t he entity or individual t o whom the information pertains, t he conduct of NRC and Federal programs, or the personal privacy of Individuals.
The NRC generates and receives many categories of documents containing SUNSI. Each category of documents falls into one of nine SUNSI handling groups. NRC employees, consultants, and contractors are responsible for properly protecting SUNS! documents in accordance with procedures established for the eight handling groups.
The presence or obsence of markings or cover sheets does not entirely determine whether a document may be withheld from or released to the public. Whenever an NRC employee has a question regarding the denial or releasablllty of a document, whether It Is marked or not, the employee should consult with their supervisor and/or the originator of the document, the SUNS! guidance contained on this site, and MD 3.4, "Release of Information to the Public."
General guidance applicable to all SUNSI handling groups is contained In.~R~.P9.llcy.~.~.~.. ~.ro~~9~r~s.f9.r,H~~.dlin~1.* ~.~.r..~1.~~i. ~~.d rrot~c~.ns, Sensitive Unclassified Non-Safe!!uards Information (SUNS!)
, For detailed Information on handling requirements for each of the nine SUNSI groups, follow the appropriate link below, or use the navigation buttons above.
Staff are reminded of the need to protect SUNS! via yellow announcement YA-10-0102, Policy Reminder of the NRC's Policy for Protecting SUNS/ as Described In the NRC Polley for Handling, Marking, and Protecting.. SUNSI and Applicable MDs," (ML19298D153 0 ). Specifically, the YA notes possible consequences of non-compliance with protecting SUNS! including: (a) removal of system access for a specified period; (b) mandated training regarding the Information about the specific security Incident; and (c) possible dlsclpllnary action up to and including removal from t he Federal service.
SUNSI Information must be protected with respect to "need-to-know." The definition of need-to-know was provided via yellow announcement YA-16-0052, "Change to Need-to-Know Definition" (ML16111A432 0 ), The definition is stated as follows:"
"Need-to-Know" l. A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards Information, or sensitive unc/oss/fied Information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official ond lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive Information Including classified, safeguards, and/or sensitive unclassified information sho/1 not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.
The Commission has approved the Office of General Counsel's guidance and recommendations for program offices regarding finalized procedures to allow potential intervenors to gain access to relevant records that contain sensitive unclassified non-safeguards information and safeguards information. To review the guidance and recommendations see the final procedures (ML080440239 0 ) and SRM-SECY 0215 (ML080320502 0 ).
All SUNS/ must be encrypted when the information is outside of NRC facilities as stated in MD 12.5. This includes the requirement to encrypt the information during transmission outside of the internal network. All encryption used by NRC must use FIPS 140 validated algorithms and cryptographic modules or encryption https://drupal.nrc.gov/sunsi ADAI 1/4
8/3/2020 Sensitive Unclassified Non-Safeguards Information (SUNSI) I NRC Intranet approved by the National Security Agency for protection of classified information. Contact Kathy Lyons-Burke, Senior Level Advisor for Information Security, Office of the Chief Information Officer (OCIO} with any questions regarding information protection policy.
SUNSI Groups Allegation Information lnvestis.ation Information Critical Electric
................ - *- "~" " "'~"***
Infrastructure Information (CEIi)
Ex ort Controlled
)nf~.r.rri~~,c:>n. (E~_I)
_se,~u~itY,:~elat~.d.
Information Proprietary Information Applicable Document Categories Confidential Allegation Information Sensitive Allegation Information Office of the Inspector General (OIG) investigation-related documents Office of Investigations (01) Investigation-related document Information related to a system or asset of the bulk-power system, whether physical or virtual, the Incapacity or destruction of which would negatively affect national security, economic security, public health or safety, or any combination of such matters.
CEIi is exempt from disclosure under the Freedom of Information Act, S U.S.C. SS2(b)(3), and Includes (but Is not limited to) specific engineering, vulnerability, or detailed design Information about proposed or existing critical infrastructure that:
(i.) Relates details about the production, generation, transportation, transmission, or distribution of energy; (Ii.) Could be useful to a person in planning an attack on critical infrastructure; and (iii.) Does not simply give the general location of the critical infrastructure.
(See CEIi page: "what documents should be marked" and "how should a document be marked" sections for guidance on marking documents received or generated by NRC as CEIi.)
Statutory and regulatory authorities for export controlled Information (ECI) provide designation authority to agencies other than the U.S. Nuclear Regulatory Commission (NRC). Questions about ECI designations should be referred to the Office of the Chief Information Officer who will coordinate with the U.S. Department of Energy (DOE), U.S. Department of Commerce (DOC), or U.S. Depa,rtment of State (DOS) as necessary.
10 CFR 2.390 Information Licensee-submitted information that may qualify as Critical Infrastructure Information as defined by other agencies including -
Information that could be useful, or could reasonably be expected to be useful to a terrorist in a potential attack that does not qualify as Safeguardls or Classified Information (see Staff Guidanc_~_
for Screening Documents for Information that Cou Id be Useful to a Terrorist)
Sensitive Homeland Security Information - Department of Homeland Security (DHS) to define Trade Secrets or Confidential Commercial or Financial Information.
INPO Private - Institute of Nuclear Power Operations (INPO)
Source Evaluation Proprietary Data
.!'tivacy Act/Personally https://drupal.nrc.gov/sunsi Privacy Act
- All Information contained in a Privacy Act System of Records (see the "Privacy Act 2/4
8/3/2020 Identifiable Information Federal-, State-, Foreig_~.
Government-and
!.~ternational A~~!:1~.Y..:.
Controlled Information Sensitive Internal Information
........ -...... ~....... _,,..,~,
Sensitive Unclassified Non-Safeguards Information (SUNSI) I NRC Intranet
.?YStem of Records Notice CP ").
Personally Identifiable Information (PII).
- All information that can be used to distinguish or t race an individual's identity.
PII Relationship to Privacy Act - Only PII that is part of a Privacy Act system of records will be protected by the provisions of the Privacy Act. Therefore, while some PII may be considered Privacy Act information, not all of it is. PII that is contained in documents, files, or databases not part of a system of records will not receive the specific benefits of this legal protection but is to be t reated in accordance with applicable agency policy for handling sensitive information.
Information not to be released to foreign nationals without the permission of the author or originating agency (NOFORN)
Not For P1Jblic Disclosure Under Terms of the Joint Convention on the Safety of Spent Fuel Management and the Safety of Radioactive Waste Management Law Enforcement Sensitive (Federal & State Law Enforcement Agencies)
For Official Use Only (FOUO) - Department of Defense (DOD)
Official Use Only (OUO) - Department of Energy (DOE)
Unclassifi,ed Controlled Nuclear Information (UCNII) - DOE Naval Nuclear Propulsion Information (NNPI) - DOE Sensitive but Unclassified (SBU) - Department of State (DOS)
Government-Controlled Information Foreign Government-Controlled Information State Agency-Controlled Information Attorney-Client Privilege Attorney Work Product Predeclslonal Enforcement Information Sensitive - Not For Distribution (Except to Commission Adjudicatory Employees in Accordance with 10 CFR 2.348)
Information submitted to the Commission marked "Sensitive" Source selection Information other than proprietary Information Consolidated guidance on SUNSI was developed In response to recommendations made by the EDO's Task Force on Management of Sensitive Unclassified Non-Safeguards Information (SUNSI). The final report of the task force Is available In ADAMS under accession number ML043170097.
CUI Briefing https://drupal.nrc.gov/sunsi 3/4
8/3/2020 Sensitive Unclassified Non-Safeguards Information (SUNSI) I NRC Intranet 1S00 - CUI Briefing - January 27, 2017 a
- pr ntf'd Jrmunry 21, }01 lat th Nat101wl Ar h v and Rf'" ord Administrotron
~
What's New in SUNSI? ~ SUNSI is being transitioned to Controlled Unclassified Information (CUI)
SUNSI Polley and Procedur~s
~ Inadvertent or Unaut horized Release of SUNSI
~ j Ill=
Marking SUNSI In Electronic Formats mil Frequently Asked Questions e Contact SUNSI.Resource@ nrc.gov B https://drupal.nrc.gov/sunsi 4/4
8/3/2020 Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRG Policy for Handling, Marking, and Protecting SUNS! a...
You are here: Home >> Announcements >> Policy Reminder >> Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRC Policy for Handling, Marking, and Protecting SUNSI and Applicable MDs
Subject:
Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRC Policy for Handling, Marking, and Protecting SUNSI and Applicable MDs ANNOUNCEMENT CATEGORY Policy Reminder ML#
ML19298D153 MANAGEMENT DIRECTIVE#: MD 12.1, MD 12.5, MD 12.6 TO:
All NRC Employees Yellow Announcement: YA-19-0102 Date: December 9, 2019 Expiration Date: June 30, 2020
SUBJECT:
POLICY REMINDER OF THE U.S. NUCLEAR REGULATORY COMMISSION'S POLICY FOR PROTECTING SENSITIVE UNCLASSIFIED NON-SAFEGUARDS INFORMATION AS DESCRIBED IN THE NRC POLICY FOR HANDLING, MARKING, AND PROTECTING SENSITIVE UNCLASSIFIED NON-SAFEGUARDS INFORMATION AND APPLICABLE MANAGEMENT DIRECTIVES The Office of the Chief Information Officer (OCIO), has become aware of several recent security incidents regarding the handling of sensitive unclassified non-safeguards information (SUNSI), including some that could have potentially resulted in a release of information to external entities without a need-to-know, Additionally, OCIO's Data Loss Prevention monitoring tools have continued to identify the transmission of unencrypted SUNSI information to external parties and personal e-mail. Although these incidents are reported to office management, them ishandling of SUNSI information persists. This Yellow Announcement reminds staff of the U.S. Nuclear Regulatory Commission (NRC) policy for protecting SUNSI and reinforces NRC policy for noncompliance including potential disciplinary action.
Background
Management Directive (MD) 12.6, " NRC Sensitive Unclassified Information Security Program," describes NRC policy regarding NRC personnel responsibility for ensuring that sensitive unclassified information is marked, handled, and protected from unauthorized disclosu re under pertinent laws, other NRC MOs, and applicable directives of other Federal agencies and organizations. The SUNSI policy, posted on the SUNSI Web site, "t:J.~.c.;.
-~-~l(~yJor:...~_a0_~_1i~Si.M~.r.~l~_S1.!1_:1~. ~E'?~~E~.~g Sensitive ~DE~~~sified Non-Safeguards lnfo!.'!1!1~.C>-~*-*-..," updated SUNSI categories and describes applicable requirements not included in MD 12.6. MD _12.1, " NRC Facility Security Program," describes NRC policy regarding potential consequences for failure to protect against unauthorized disclosure of SUNSI and other types of Information.
Other documents that describe NRC policy regarding marking, handling, and protection of SUNSI are:
- 1. For the release of information to the public - MD 3.4, "Release of Information to the Public";
- 2. For electronic processing, storage, destruction, and transmission of SUNSI includi ng storage of SUNSI on share drives - MO _12.5, "NRC Cybersecurity Program" and the "N_RCAgency-w ide Rules of Behavior for Authorized Computer Use";
- 3. For handling allegation information - MO 8.8, "Management of Allegations"
- 4. For handling of Privacy Act information - MD 3.2, "Privacy Act," and the Privacy Act of 1974;
- 5. For security incidents, infractions, and violations of SUNSI disclosure-MO 12.1, "NRC Facility Security Program"; and https://drupal.nrc.gov/announcements/yellow/policy-reminder/58541 ADAI 1/3
8/3/2020 Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRC Policy for Handling, Marking, and Protecting SUNSI a...
- 6. For marking incoming confidential commercial or financial (proprietary) information -
As described in t he "NRC Policy for Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information," SUNSI is organized into the following nine groups:
- 1. Allegation Information;
- 2. Investigation Information;
- 3. Critical Electric Infrastructure Information;
- 4. Export Controlled Information;
- 5. Security-Related Information;
- 6. Proprietary Information;
- 7. Privacy Act/Personally Identifiable Information;
- 8. Federal-, State-, Foreign Government-, and International Agency-Controlled Information; and
- 9. Sensitive Internal Information.
To the extent that a different statute, regulation, or other directive already established the requirements for a particular SUNSI group, this policy incorporates those preexisting requirements. For example, MD 8.8 establishes the requ irements and procedures for handling allegation information, while the Privacy Act of 1974, as amended, and MD 3.2 lay out the requirements for handling Privacy Act information. Further, 10 CFR 2.390 establishes the marking requirements for Incoming confidential commercial or financial (proprietary) Information. Finally, MDs 12.1 and 12.5 contain the requirements for electronic processing, storage, destruction, and transmission of SUNSI. When more than one SUNSI group applies to 1nru,111~llon, Litt! fflUSl ft!Sltlcllvt! lta11dli11jj rc4uitl!ffft!fll uf lit!! apµliCdblt! jj,OUJJ dpµlil!~-
While the NRC Is currently working to Implement t he Controlled Unclassified Information (CUI) program, the SUNSI policies remain In place until the CUI program Is fully Implemented. NRC employees and contractors will be Informed of plans to support the NRC's transition to CUI, Additional Information on the CUI program is available at the NRC's CUI_ Web site.
Appllcablllty NRC employees, consultants, and contractors are responsible for ensuring that SUNSI is protected In accordance with the procedures specified In applicable policies, The use of the word "contractor" Includes subcontractors. SUNSI security Incidents, as described In MD 12.1 Handbook Part VIII, Section B, Include: leaving sensitive unclassified documents or material unattended, unsecured, or Improperly stored (Including shared network drives unless access controls are applied); Improper transmission of sensitive unclassified documents or material; allowing an unauthorized person access to sensitive unclassified information; and/or failure to safeguard a sensitive unclassified container combination. Consequences of non-compliance with protecting SUNSI may Include: (a) removal of system access for a specified period;(b) mandated training regarding the information about the specific security incident; and/or (c) possible disciplinary action up to and including removal from the Federal service.
If you have any questions regarding this policy and procedures, contact ~-~_N_S_l:.~.~~-~~rc~_(g?_n,r~-.$9.Y. -~ -
/RA/
David J. Nelson Chief Information Officer Management Directive
References:
- 1. MD 12.1, "NRC Facility Security Program," Handbook Part VIII (B)(2) and (E)(2)
- 2. MD 12.S, "!'!.~.f.ftbersecurlty Proe,:,~.r.!2," Handbook including "NRC Agency-wide Rules of Behavior for Authorized Computer Use"
- 3. MD 12.6, "NRC Sensitive Unclassified Information Security Pro~!am," Handbook Part I (A)(2) and (B)
SUBMITTER'S EMAIL Adam.Glazer@nrc.gov AUTHORIZING OFFICIAL David Nelson SIGNATURE DATE Monday, December 9, 2019 PUBLISH ON https://drupal.nrc.gov/announcements/yellow/policy-reminder/58541 2/3
81312020 Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRG Policy for Handling, Marking, and Protecting SUNSI a...
Monday, December 16, 2019 YELLOW NUMBER YA-19-0102 https:1/drupal.nrc.gov/announcements/yellow/policy-reminder/58541 3/3
8/3/2020 Proprietary Information I NRC Intranet You are here: Home,, Offices >> SUNSI "JO Propriet~ry Information Proprietary Information CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc.gov19 Table of Contents
- ,.d:eP.l!~a,~le,.. ~<l.. ~.~~-~~!... 9.~~..l!ori_e,,~.
- ~ -~rki.~g
- Authority to Designate
- Cover Sheet
- Access
- -~e,p_rod~~ti,CJ~.
- Need-to-Know Controls
- Processing on Electronic Systems
- Stora&e
- Destruction
- Decontrol_ Authority APPLICABLE DOCUMENT CATEGORIES Trade Secrets or Confidential Commercial or Financial Information.
INPO Private - Institute of Nuclear Power Operations (INPO).
Source Evaluation Proprietary Data.
- Use at Home "Mm........... _,.*U~U*,m**"
- Use While Traveling or Commuting_
- .~hysi~a,I _C_opy Tra_~s.m,is~lo_~.
- Electronic Copy Transmission Information or records concerning a licensee's or applicant's physical protection, classified matter protection, or material control and accounting program for special nuclear material not otherwise designated as Safeguards Information or classified as National Security Information or Restricted Data.
Information submitted In confidence to the Commission by a foreign source.
A TOP AUTHORITY TO DESIGNATE Business originator makes proprietary claim. For proprietary information to be protected, NRC must accept proprietary claim based on review by the responsible office and OGC, when needed.
ACCESS Who may have access?
https://drupal.nrc.gov/sunsi/34642 I TOP NRC staff, contractors and consultants who have a need-to-know the Information to perform their official duties and have the proper clearance.
i TOP ADAI 1/5
8/3/2020 NEED-TO-KNOW CONTROLS Do Need-to-know controls apply?
MARKING What documents should be marked?
Who may authorize document marking?
How should a document be marked?
When is portion or page marking required?
COVERSHEET When should a cover sheet be used?
What cover sheet is used?
REPRODUCTION How many copies may be made?
https://drupal.nrc.gov/sunsi/34642 Proprietary Information I NRC Intranet o Need-to-know controls must be applied to the information.
o Recommend the est ablishment of pre-designated user groups that exclude administrative, other select Offices and/or groups that do not have an obvious mission need from access.
Mark all documents containing Trade Secrets or Confidential Commercial or Financial Information.
Do not mark document s from INPO designated INP'O Private.
NRC recipient or originator (or supervisor) pursuant to 10 CFR 2.390.
NRC Generated Documents:
The top and bottom of each page should be marked -"Official Use Only - Proprietary Information."
Incoming Documents:
Marking requirements are defined In 10 CFR 2.390(b) and require marking only at the top of page, and each successive page containing proprietary Information, and adjacent to the specific proprietary Information.
Required for all documents.
If the entire page is not affected, indicate the basis (I.e., trade secret, etc.) for the designation adjacent to the protected Information. See 10 CFR 2.390 (b)(l)(l)(B ).
- j. TOP Not required.
Not applicable.
Note: Use of the yellow Proprietary Information cover sheet has been discontinued, and must not be used.
101 No reproduction for INPO Private without INPO permission; otherwise see below.
Coples muist clearly show the original markings.
Abide by copyright restrictions.
Reproduction limited to number of copies needed for official use.
Note: Where restrictions are imposed on reproduction, the employee must also ensure that there are no non-authorized copies residing in electronic systems, such as on the network drive, local hard drive, or removable storage media.
1 TOP 2/5
8/3/2020 Proprietary Information I NRC Intranet PROCESSING ON ELECTRONIC SYSTEMS On what information systems may the document be processed?
Is encryption required while data is at rest?
M ay the information be processed In ADAMS?
USE AT HOME M ay I use the document at home or under the NRC Flexible Workplace Program?
NRC LAN and other systems authorized to operate by t he NRC under MD,.12.5, "NRC Cybersecurity Program."
0MB has directed that all sensitive Information be encrypted using only NIST-certified cryptographic modules both at rest and during t ransmission. NRC automatically encrypts data at rest and during transmission within NRC facilities. Any SUNSI that Is outside of NRC facilities must be encrypted at rest.
Proprietary Information may be entered into the ADAMS Main Library and must be profiled as Non-Publicly Available and Sensitive. Assign access rights to the group "NRC Users". ADAMS Sensitivity Code: A.4-Sensitive-Proprietary-No Periodic Review Required.
Yes, abide by the following requirements:
If you are approved to work at home under the NRC Flexible Workplace Program, use in accordance with standards set forth in NRC Form 624, Flexible Workplace Program Participation Agreement.
When using at home or at an alternate work location abide by the following:
Employees are prohibited from using, handling, and storing the Information at their residences and on personally owned devices or sending information to non-NRC email addresses (e.g., personal email accounts). See exceptions below.
Occasiona l use at an employee's residence requires approval of the employee's Immediate supervisor or above.
It is discourage to take hard-copy material to private residences. If hard-copy material is taken home, it must be brought back to an NRC facility and stored and/or destroyed properly.
To ensure that the information Is not viewed or accessed Inadvertently or willfully by a person not authorized access, the employee must ensure that the information cannot be seen by any individual who is not authorized access.
Employees who work at home must perform electronic processing of SUNSI on either (1) an NRC-lssued laptop witti NRC-approved encryption software, (2) a home computer within the virtual environment provided by the agency through CITRIX, or (3) using an NRC authorized solution such as BYOD.
Employees are prohibited from processing SUNSI on personally owned computers unless connected to and working within CITRIX, the NRC Broadband Remote Access System. Employees are prohibited from downloading or storing SUNSI to the hard drive of a personally owned computer when connected to and working within CITRIX. Employees are also prohibited expressly from processing SUNSI on personally owned computers even when an encrypted storage media is employed.
l toP USE WHILE TRAVELING OR COMMUTING M ay I use the information while on official travel or commuting to or from work?
Yes, abide by the following requirements:
Use of t he information is discouraged while traveling on public transportation. To ensure that the information is not viewed or accessed inadvertently or willfully, the employee must ensure t hat it cannot be seen by persons not authorized access. Particular care should be taken on a public conveyance or in waiting rooms where others may be sitting and standing in close proximity to where the information is being used.
Individuals should hand carry protected information during travel only If other means for transmitting the information, e.g., mailing ahead, secure information sharing, are not readily available or are operationally unacceptable. If hand carrying is determined to be the best transport method, care must be exercised to ensure t hat the information is not compromised th rough loss or inadvertent access.
https://drupal.nrc.gov/sunsi/34642 3/5
8/3/2020 PHYSICAL COPY TRANSMISSION M ay I transmit paper or electronic media including CD-ROM, disk or tape?
Proprietary Information I NRC Intranet Information must be kept in the traveler's personal possession to extent possible, and stored, appropriately wrapped as to reveal evidence of tampering, in hotel security facilities if possible.
Information must not be saved/stored on a personally owned computer. Work must be performed on an encrypted laptop computer or other encrypted mobile IT device authorized for use per MD _12.. 5 to preclude unauthorized access if the laptop or device is lost or stolen.
The information should be returned to an NRC authorized storage location at the earliest possible opportunity and/or destroyed appropriately as described In the "Destruction" section below.
I !OP Yes. Abide by the following requirements:
Inside the NRC (including Regions): Information may be-Hand-carried to an individual authorized access to the information.
Sent via NRC's interoffice mall system, Transmit in a single opaque envelope and address to an Individual authorized access to t he Information.
Sent via NRC pouch service between headquarters and the regions. Transmit in a single opaque envelope and address to an individual authorized access to the information.
Sent via approved commercial express carriers between headquarters and the regions (time-sensitive material only; use NRC Form 420). Transmit in a single opaque envelope and address to an individual authorized access to the information.
Outside the NRC: Information may be transmitted by -
NRC Messenger/NRC contractor messenger.
U.S. Postall Service: First Class Mall, Registered Mall, Express Mall, Certified Mall. Request tracking service If not included.
Hand carried by any Individual authorized access to the information. That individual shall retain the Information in his or her possession unless they place the document In the custody of another person authorized access.
Approved commercial express carriers (time-sensitive material only; use NRC Form 420). Transmit in single opaque envelope and address to an Individual authorized access to the information. Request tracking service where available.
Other means approved by OCIO and the Director, Division of Facilities and Security, ADM.
Incoming to the NRC:
Electronic submissions, Including CD-ROMs, submitted to the NRC should follow the E-Rule "Guidance for Electronic Submission to t he Agency," available on NRC's external Web site at: (_~~fer~~~-~... ~~t~r.ia,I~.f~~
Electronic Submissions Cl> ).
Encryption:
All electronic media (CD-ROM, disk, tape, hard drives, t humb drives, etc.) must be encrypted in accordance with MD 12.5.
TOP ELECTRONIC COPY TRANSMISSION May I transmitthe document electronically by e-mail or fax?
https://drupal.nrc.gov/sunsi/34642 Yes. Abide by the following requirements:
Inside the NRC (Including Regions): Information may be e-mailed or faxed.
Outside the NRC:
All electronic t ransmissions (e.g., e-mail, fax) out side the NRC must be encrypted in accordance with MD 12.5.
To an authorized user who has a need-to-know the information.
4/5
8/3/2020 STORAGE Proprietary Information I NRC Intranet FAX: May use non-secure facilities where it is confirmed that a recipient that is authorized to access the information will be present to receive the information.
E-MAIL: Please follow the guidance outlined in the Office of the Chief Information Officer issued announcement dated August 9, 2017.
Use of portals t hat encrypt the information during t ransmission, such as " BOX" are highly encouraged.
Electronic files must contain appropriate markings.
IOP Inside the NRC (Headquarters and Regional Offices): Store In locking or In non-locking container within areas where there Is supplemental security including electronic access controls (keycard) and/or guards on duty. If management determines additional protection is needed, the Information should be stored in key locked file cabinets or equivalent storage containers.
Outside the NRC (Resident Inspector sites): Store in key locked desks or other key locked containers.
On NRC Electronic Systems: May be stored on NRC encrypted computer systems that are authorized to operate under MD.. 1_2_.5.
DESTRUCTION Official Record Version:
Destroy In accordance with " NRC Comprehensive Records Disposition Schedule" (NUREG-0910).
Non-official Record Coples:
Destroy copies other than the official record version by any means that prevents reconstruction In whole or part, Including the following methods:
Using an ADM/DFS approved shredder that has been approved to destroy classified Information, Safeguards Information, SUNSI, and Controlled Unclassified Information.
Place In Sensitive Unclassified Wast e Disposal Containers.
Tear Into one-half Inch pieces (In all dimensions) or smaller and dispose of In the trash.
Burning, pulping, pulverizing, or chemical decomposition.
Electronic Data:
Use NRC authorized destruction methods in accordance with MD 12.5.
A,1.oP.
DECONTROL AUTHORITY Office primarily responsible for the Information.
Information submitted under 10 CFR 2.390 must undergo an acceptance review prior to formal acceptance as Proprietary Information.
Under 10 CFR Part 9, NRC must notify the s.ubmitter prior to de-controlling.
TOP https://drupal.nrc.gov/sunsi/34642 5/5
8/3/2020 Critical Electric Infrastructure Information (CEIi) I NRC Intranet You are here: Home,, Offices >> SUNSI "JO Critical Electric Infrastructure Information (CEIi)
Critical Electric Infrastructure Information (CEIi)
CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc.gov19 Table of Contents
- . ~u~~i:>tity_t_i:>Q~.~-is~.~~-~.
- Cover Sheet
"'~"" ",.................... '
- ,Use_While,Traveling or_Commutins
- Access
- _R.~production
- Physical Copy Transmission
- Need-to-Know Controls
' "" '... *~,, "'
- ~.roces~l~ij _on El~c,tre>_n_ic.?YS~-~m,~
- .~.lec,tri:,ni~ Copy Trans,ml~s.i_i:,_n,
- Markin!!
- Use at Home
- Storage
- Destruction
- Decontrol Authority
- Requirements_ for _Contractors AUTHORITY TO DESIGNATE ONLY the Federal Energy Regulatory Commission (FERC) has the authority to designate Information as CEIi.
Agencies are encouraged by FERC to label Information believed to be CEIi.
ACCESS Who may have access?
Need-to-Know Controls Do Need-to-know controls apply?
MARKING What documents should be marked?
https://drupal.nrc.gov/sunsi/34638 IOP Restricted to those that have a need-to-know the information to perform their NRC work, TOP Need-to-know controls must be applied to the information.
Recommend the establishment of pre-designated user groups that exclude administrative and other selected Offices without an obvious mission need from access. Additionally, recommend considering whether ADAMS document processing contract personnel should have access.
il !OP Mark all pages of all documents. A recommended practice Is that paragraphs containing CEIi should be marked.
This CEIi marking should be applied to NRC information that is:
Security-related information associated with critical infrastructure; or ADAI 1/5
8/3/2020 Who may authorize document marking?
How should a document be marked?
When Is portion or page marking required?
COVERSHEET When should a cover sheet be used?
What cover sheet is used?
htlps://drupal.nrc.gov/sunsi/34638 Critical Electric Infrastructure Information (CEIi) I NRC Intranet Information associated with critical infrastructure that could reasonably be expected to endanger the life or physical safety of any individual, if released (typicallly information that qualifies for withholding under FOIA exemption 7F)
NRC information that should be labeled and handled as containing CEIi includes not only onsite information but also information related to critical infrastructure offsite from the nuclear power plant, such as hydroelectric dams, gas pipelines, and the electric grid.
!OP FERC has authority to formally designate information as CEIi.
NRC information should be labeled as containing CEIi if:
FERC has formally designated the NRC Information as CEIi; or Staff believes that the NRC information may be CEIi even before a formal FERC designation of that information as CEIi i TOP NRC Information associated with critical Infrastructure (e.g., nuclear power plants, dams, electric grid, etc.)
that is potentially CEIi and NRC information that has formally been designated by FERC as CEIi are to have the same marking: "CEIi - DO NOT RELEASE" All other applicable sensitive information labeling (e.g., Security Related Information) should be retained.
This CEIi marking should be applied to NRC information that is:
Security-related Information associated with critical Infrastructure; or Information associated with critical Infrastructure that could reasonably be expected to endanger the life or physical safety of any individual, if released (typicallly information that qualifies for withholding under FOIA exemption 7F)
NRC Information that should be labeled and handled as containing CEIi inciudes not only onslte information but also Information related to critical infrastructure offsite from the nuclear power plant, such as hydroelectric dams, gas pipelines, and the electric grid.
NRC may also receive CEIi from other agencies or external parties that already contain CEIi markings, such as:
CUI//CEII CEIi - DO NOT RELEASE Contains Critical Electric Infrastructure Information - DO NOT RELEASE NRC staff does not need to add any additional CEIi markings to Information NRC receives from other agencies or external parties that already contain CEIi markings.
10r Portion marking Is not required, but a recommended practice is that paragraphs containing CEIi should be marked.
l,.10P _
A cover sheet is not required i !OP Not applicable.
2/5
8/3/2020 REPRODUCTION How many copies may be made?
Critical Electric Infrastructure Information (CEIi) I NRC Intranet Should only make as many copies as are absolutely required to perform government mission.
Printing from home location allowed using local (non-networked) printer.
PROCESSING ON ELECTRONIC SYSTEMS On what Information systems may the document be processed?
ls encryption required while data Is at rest?
USE AT HOME M ay I use the document at home?
M ay I use the information at home under the NRC Flexible Workplace Program?
2-factor user authentication is required to gain access to this Information
......,o~.
Controls at the moderate sensitivity level are required.
CEIi on portable digital media must be encrypted In accordance with MD 12.5
!OP Yes. Abide by the following requirements:
Can process using a government furnished computer, within the NRC CITRIX application, or.approved BYOD device container.
Must restrict access to the Information so that only those with a need-to-know can see the content and computer session Is locked when not In use.
Must obtain supervisor approval to have printed copies at home.
Printed copies access controlled so that only those with a need-to-know can see the content, and printed copies are locked away when not in use.
Printed copies must be destroyed using NRC approved Shredder.
All Information must be encrypted in accordance with MD 12.5 10P Yes. Abide by the requirements listed under home use above.
IOP USE WHILE TRAVELING OR COMMUTING May I use the information while on official travel or commuting to or from work?
Yes. Abide by the following requirements:
Can process using a government furnished computer, within the NRC CITRIX application, or approved BYOD device container.
Must restrict access to the Information so that only those with a need-to-know can see the content and computer is locked when not in use.
Must obtain supervisor approval to have printed copies while traveling or commuting.
Printed copies access controlled so that only those with a need-to-know can see the content, and printed copies are locked away when not in use.
Printed copies must be destroyed using NRC approved Shredder.
I lOP https://drupal.nrc.gov/sunsi/34638 3/5
8/3/2020 PHYSICAL COPY TRANSMISSION M ay I transmit paper or electronic media including CD-ROM, disk or tape?
Critical Electric Infrastructure Information (CEIi) I NRC Intranet Yes. Abide by the following requirements:
Inside the NRC (including Regions): Information may be -
Hand-carried.
Sent via NRC's Interoffice mail system.
Sent via NRC pouch service between headquarters and the regions. Transmit in a single opaque envelope.
Sent via approved commercial express carriers between headquarters and the regions (time-sensitive material only; use NRC Form 420). Transmit in a single opaque envelope.
Outside the NRC: Information may be t ransmitted by-NRC Messenger/NRC contractor messenger U.S. Postall Service: signature required.
Hand-carried by any individual authorized access to the information. That individual shall re*tain the information in his or her possession to the maximum extent possible unless they place the document in the custody of another person with authorized access.
Approved commercial express carriers (time-sensitive material only; use NRC Form 420); Transmit In single opaque envelope.
Other means approved by the CIO and the Director, Division of Facilities and Security, ADM.
Encryption:
All electronic media (e.g., CD-Rom, disk, tape, hard drives, thumb drives, etc.) must be encrypted In accordance with MD 12.5 i TOP ELECTRONIC COPY TRANSMISSION M ay I transmltthe document electronically by e-mail or fax?
STORAGE Yes. Abide by the following requirements:
Electronic transmissions outside of the NRC network must be encrypted and only able to be unencrypted by those Individuals w ith the required access authorization and need-to-know.
Tor If the electronic copy Is outside of NRC facilities, the Information must be encrypted In accordance with MD 12.5.
NRC provided mobile desktops automatically encrypt the contents of the hard drive.
MaaS360 containers used w ith personal mobile devices are encrypted Electronic access to the Information must be restricted to those Individuals with the required access authorization and need-to-know.
Physical copies must be In a locked container when not In use i TOP DESTRUCTION Use ADM/DFS approved sensitive information destruction methods.
TOP DECONTROL AUTHORITY https://drupal.nrc.gov/sunsi/34638 4/5
8/3/2020 Critical Electric Infrastructure Information (CEIi) I NRG Intranet FERC I TOP REQUIREMENTS FOR CONTRACTORS Ensure contract clauses that include the following:
Restrict access to the information to those with an appropriate background check that have a need-to-know the Information to perform their NRC work.
Require controls in accordance with MD 12.5.
Require information protection requirements Included here.
Required unauthorized disclosure be reported within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to the NRC contracting officer.
I TOP https://drupal.nrc.gov/sunsi/34638 5/5
8/3/2020 Export Controlled Information (EC!) I NRC Intranet You are here: Home,, Offices >> SUNSI "JO Export Controlled Information (ECI)
Export Controlled Information {ECI)
CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc.gov19 Table of Contents
- . ~u~~i:>tity_t_i:>Q~.~-is~.~~-~.
- ~t_i:>r_age
- _P~ysical.. Copy.. Transmission
- Access
- ~~.eroduction
- Electronic Copy Transmission
- Marking
- Use at Home
- Destruction
- Cover Sheet
- Use While Travelln~ or Commuting
- Decontrol Aut hority_
- Need to Know controls
.... ~,_.,_,,, '.,....
- Electronic Identification and Authentication Requirements
- .E.!~~!.r,1:>.. ~.1~. Information Cont_ri:,I~
- Requirements. for Contractors
- _Unaut horized Disclosure Reeo.r.1!~~-~-~q~i.r.~!:11.~.~!~
AUTHORITY TO DESIGNATE Statutory and regulatory authorities for export controlled information (ECI) provide designation authority to agencies other than the U.S.
Nuclear Regulatory Commission (NRC). Questions about ECI designations should be referred to the Office of the Chief Information Officer who w ill coordinate with the U.S. Department of Energy (DOE), U.S. Department of Commerce (DOC), or U.S. Department of State (DOS) as necessary.
Inform submitters that If they submit ECI to the NRC that, by law, may not be shared with foreign nationals, they must label lit as such before submitting the Information because the NRC may otherwise, as part of its ordinary course of business, provide information it receives to other parties (e.g., contractors) that may employ foreign nationals.
i TOP ACCESS Restrict access to U.S. citizens who have a need to know (NTK) the information to perform their NRC work. ECI may not be provided to individuals who are not U.S. citizens, Including foreign assignees working in NRC's offices and contractors.
A TOP MARKING Apply the proper marking to all documents. and digital media designated by t he applicant or licensee as containing ECI.
Mark documents "Export Controlled Information" at the top and bottom of every page.
Mark electronic media "Export Controlled Information."
https://drupal.nrc.gov/sunsi/57002 ADAI 1/4
8/3/2020 Export Controlled Information (EC!) I NRC Intranet TOP COVER SHEET Use a cover sheet marked "Contains Export Controlled Information."
I TOP STORAGE Adopt a "clean desk" strategy for ECI when it 's not attended.
Hard Copies: Lock your computer and putting hard copies out of sight (e.g., in a desk drawer, cabinet, or carrying case). Consider EC! to be unattended any time you are not in the same cubicle or office as the ECI.
Electronic Media: Store "audit" discs and other electronic media In an approved safe or other secure location (such as the records vault) unless It is In use. (The DLSE safe is currently located in the Limited Access Computing room in OWFN-2Al).
& TCP REPRODUCTION Make only as many copies as absolutely required to perform the Government's mission.
Printing Is only allowed on the NRC's network or other location approved for proces.slng ECI. Secure print should be used.
USE AT A REMOTE WORK LOCATION (I.e., outside of the NRC's offices)
Process the Information using a Government furnished computer or within the NRC CITRIX application or with an approved bring-your-own-device (BYOD) container.
Use only approved secured WIFI within a secured BYOD device container or use an NRC issued air card.
Secure laptops that are not In use to prevent loss or access by unauthorized Individuals.
Restrict access to the information so that only those w ith NTK are able to see the content and lock the computer screen when the computer Is not In use. Secure computers that are being transported to prevent loss or access by unauthorized individuals.
Obtain prior supervisor approval to have printed copies at home.
Control printed copies so that only those with NTK see the content and secure printed copies In a locked container when they are not in use or are unattended (e.g., a locking drawer within an approved work area at home or a locking cabinet).
Destroy printed copies and electronic media using a destruction method approved by the Office of Administration, Division of Facilities and Security (ADM/DFS}.
USE WHILE TRAVELING OR COMMUTING Require approval by DOE to take electronic or hard copy ECI on travel to a foreign country in accordance wit h DOE Order 551.lC, "Official Foreign Travel."
Process Information using a Government furnished computer within the NRC CITRIX application or an approved BYOD container.
Restrict access to the Information so that only those w ith NTK are able to see the content and lock and password protect the computer screen w hen the computer is not in use or is unattended.
Obtain prior supervisor approval to have printed copies while traveling or commuting.
https://drupal.nrc.gov/sunsi/57002 2/4
8/3/2020 Export Controlled Information (EC!) I NRC Intranet Control access to printed copies so that only those with NTK are able to see the content and secure printed copies in a locked container when they are not in use (e.g., a locking drawer with a key(s) under positive control).
Destroy printed copies and electronic media using an ADM/DFS approved destruction method.
I TOP PHYSICAL COPY TRANSMISSION Inside the NRC (Including regional office space), information may be-hand carried sent through the NRC's interoffice mail system sent through the NRC's pouch service between Headquarters and the regions (i.e., transmit the information in a single opaque envelope) sent through approved commercial express carriers between Headquarters and the regions (for time-sensitive material only; use NRC Form 420 and transmit the Information in a single opaque envelope)
Outside the NRC, information may be transmitted by-NRC messenger/NRC contractor messenger U.S. Postal Service (I.e., first class mall, registered mail, express mall, or certified mall) hand carried by any Individual who has authorized access to the Information (that Individual shall retain the Information In his or her possession to the maximum extent possible unless he or she places the document In the custody of another person who has authorized access) approved commercial express carriers (time-sensitive material only; use NRC Form 420 and transmit the information In a single opaque envelope) other means approved by the Chief Information Officer and ADM/DFS I TOP ELECTRONIC COPY TRANSMISSION Encrypt electronic transmissions to or from e-mail addresses outside the NRC network such that they are only able to be unencrypted by those Individuals with the required access authorization and NTK. Encryption Is not required if the Information Is sent to and from an e mall address Inside the NRC network.
A TOP DESTRUCTION Destroy printed copies and electronic media using an ADM/DFS approved destruction method.
& TOP DECONTROL AUTHORITY Decontrol ECI in accordance with the statutory or regulatory authority (e.g., DOE, DOC, DOS, or other relevant Federal entity) under which the Information was determined to be ECI.
I TOP NEED TO KNOW CONTROLS Apply "most limited access" controls to the information, including the establishment of predesignated electronic user groups (e.g., on https://drupal.nrc.gov/sunsi/57002 3/4
8/3/2020 Export Controlled Information (EC!) I NRC Intranet network shared drives or in ADAMS) that exclude administrative and other selected offices without a mission need.
i.. ro*..
ELECTRONIC IDENTIFICATION AND AUTHENTICATION REQUIREMENTS Use two-factor user authentication to gain access to this information.
A TOP ELECTRONIC INFORMATION CONTROLS Use controls at the moderate sensitivity level in accordance with the requirements of the Federal Information Security Modernization Act of 2014.
A TOP REQUIREMENTS FOR CONTROLS Ensure contractual documents provide proper export control requirements for work coming into the facility and work being outsourced from the facility that are equivalent NRC controls. To handle this, use the contract clauses In Title 48 of the Code of Federal Regulations (48 CFR) 925.7102, "Contract Clause"; 48 CFR 952.225*71, "Compliance with Export Control Laws and Regulations (Export Clause)"; 48 CFR 970.25713, "Contract Clause"; and 48 CFR 970.5225-1, "Compliance with Export Control Laws and Regulations (Export Clause)," or as approved by ADM/DFS as applicable.
Update NRC Form 187, "Contract Security and/or Classification Requirements," for contracting officer representatives {CORs) to Identify requirements for any contract that involves the handling or use of ECI, including the NTK restriction and the U.S. citizenship requirement.
Update the statement of work template to Include the NTK restrictions and U.S. citizenship requirement.
Ensure the Inclusion of contract clauses that do the following:
Restrict access to the Information to U.S. citizens who have NTK for the Information to perform their NRC work.
Require unauthorized disclosure be reported within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to the NRC contracting officer. The contracting officer would Immediately report the unauthorized disclosure to the COR, Computer Security Incident Response Team (CSIRT), and ADM/DFS.
UNAUTHORIZED DISCLOSURE REPORTING REQUIREMENTS Report unauthorized disclosure to the Office of the Chief Information Officer and CSIRT within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of Its discovery.
A TOP https://drupal.nrc.gov/sunsi/57002 4/4
8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRC Intranet You are here: Home,, Offices >> SUNSI "JO Federal-, State-, Foreign Government-, and International Agency-Controlled Information Federal-, State-, Foreign Government-, and International Agency-Controlled Information CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc.gov19 Table of Contents
- ,.A:ee.1!~.a.~le,.. ~Cl.. ~.~~-~~!... 9.~~J!Ori_e,,~,
- ~.a.rki.~g
- Use at Home "Mm........... _,.*U~U*,m**"
- Authority to Designate
- Cover Sheet
- Use While Traveling or Commuting_
- Access
- -~e,p_rod~~ti,CJ~.
- .~hysi~a,I _C_opy Tra_~s.m,is~lo_~.
- Need-to-Know Controls
- Processing on Electronic Systems
- Electronic Copy Transmission
- Stora&e
- Destruction
- Decontrol_ Authority APPLICABLE DOCUMENT CATEGORIES Information not to be released to foreign nationals without the permission of the author or originating agency (NOFORN, E~port Controlled Information (DOE))
Not For Public Disclosure Under Terms of the !.. <J.i.!:1.t~~.!:1.~~':.!!.9}!.o.':..!.~~.. ~.a.!~ty.. f?_f.§p~nt Fuel Manas.~.ri:i.e.~t.a.~.~.!~~.. ~.a..fey_pf Radioactive Y:{~-~.t.~
Management.~..
Law Enforcement Sensitive {Federal & State Law Enforcement Agencies)
For Official Use Only (FOUO) - Department of Defense (DOD)
Official Use Only (OUO) - Department of Energy (DOE)
Unclassified Controlled Nuclear Information (UCNI) - DOE Naval Nuclear Propulsion Information (NNPI) - DOE Sensitive but Unclassified (SBU) - Department of State (DOS)
Government-Controlled Information Foreign Government-Controlled lnformatio*n State Agency-Controlled Information AUTHORITY TO DESIGNATE I TOP Originating Federal, State, Foreign Government or International Agency.
https://drupal.nrc.gov/sunsi/34639 ADA!
1/6
8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRC Intranet ACCESS Who may have access?
NEED-TO-KNOW CONTROLS Do Need-to-know controls apply?
MARKING What documents should be marked?
Who may authorl1e document marking?
How should a document be marked?
When Is portion or page marking required?
COVERSHEET When should a cover sheet be used?
What cover sheet is used?
REPRODUCTION How many copies may be made?
https://drupal.nrc.gov/sunsi/34639 NRC employees and cont ractors who have a need-to-know the information for the conduct of official business.
o Need-to-know controls must be applied to the information.
o Recommend the establishment of pre-designated user groups that exclude administrative, other select Offices and/or groups that do no,t have an obvious mission need from access.
...JOP..
Rely on marking of submitting organization, If the submitting organization's marking Is not sufficient to Indicate the document's sensitivity, contact t he organization to clarify the document markings.
Submitting organization.
Rely on marking of submitting organization. If the submitting organization's marking Is not sufficient to Indicate the document's sensitivity, contact t he organization to clarify the document markings. If additional marking Is deemed necessary, mark the top and bottom of each page as Illustrated In the following examples:
'For Official Use Only - State-Agency Controlled Information - State of Iowa'
'For Official Use Only - Sensitive But Unclassified (SBU) - DOS' Not required; however if an unmarked document containing sensitive information is received, containing Federal-, State-, Foreign Government-, and International Agency-Controlled Information, t he document should be marked to alert users of the sensitivity of the information that is contained within, and the originating agency should be contacted to alert them of the discrepancy.
ror Not required. If other agency marking Is not sufficient to indicate the document's sensitivity, contact th e originating agency to clarify the document markings.
Note: Use of the green "Official Use Only" cover sheet has been discontinued and must not be used.
Not applicable.
Note: Use of the green "Official Use Only" cover sheet has been discontinued and must not be used.
IOF Reproduction limited to number of copies needed for official use unless restriction Is placed on document by submitting organization.
Copies must clearly show the original markings.
2/6
8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRC Intranet PROCESSING ON ELECTRONIC SYSTEMS On what information systems may the document be processed?
Is encryption required while data is at rest?
May the information be processed in ADAMS?
USE AT HOME May I use the document at home?
May I use the information at home under the NRC Flexible Workplace Program?
https://drupal.nrc.gov/sunsi/34639 Note: Where restrictions are imposed on reproduction, the employee must also ensure that there are no non-authorized copies residing in electronic systems, such as on the network drive, local hard drive, or removable storage media.
I TOP NRC LAN and other systems authorized to operate by the NRC under MD __ 12.5, "NRC Cyber Security Program."
0MB has directed that all sensitive information be encrypted using only NIST-certified cryptographic modules both at rest and during transmission. NRC automatically encrypts data at rest and during transmission within NRC facilities. Any SUNS! that Is outside of NRC facilities must be encrypted at rest.
Most applicable document categories listed for this group may be entered Into the ADAMS Main Library and must be profiled as Non-Publicly Available and Sensitive. Assign access rights to user groups with a need to access the Information to perform t heir official duties. ADAMS Sensitivity Code: A.6-Sensitive-Fed, State, Foreign Government Controlled Information - No Periodic Review Required.
The following document categories may not be entered into ADAMS:
NOFORN Naval Nuclear Propulsion Information (NNPI)
Law Enforcement Sensitive Yes. Abide by the following requirements:
l 10P Employees, contractors, and consultants are prohibited from routinely using, handling, and storing th e information at their residences and on personally owned devices or sending Information to non-NRC email addresses (e.g., personal email accounts).
Occasional use at an employee's residence requires approval of the employee's immediate supervisor or above.
To ensure that the Information Is not viewed or accessed Inadvertently or willfully by a person not authorized access, the employee must ensure that the information cannot be seen by any individual who is not authorized access.
Employees who work at home must perform electronic processing of SUNSI on either (1) a home computer within the virtual environment provided by the agency through CITRIX, (2) an NRC-lssued laptop with NRC-approved encryption software, or (3) using an NRC authorized solution such as BYOD.
Employees are expressly prohibited from processing SUNS! on personally owned computers even when an encrypted storage media is employed.
It is discouraged to take hard-copy material to privat e residences. If hard copy material is taken home, it must be returned to an NRC facility and stored and/or destroyed according to the instructions provided in this guidance. Note: hard-copy of NOFORN, NNPI, and Law Enforcement Sensitive Information are not allowed to be taken home unless specifically approved by the Individual's supervisor or t he contractor's COR.
Yes. Abide by the following requirements:
3/6
8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRC Intranet Employees are prohibited from using, handling, and storing the information at their residences and on personally owned devices.
If you are approved to work at home under the NRC Flexible Workplace Program, use in accordance with standards set forth in NRC Form 624, Flexible Workplace Program Participation Agreement.
To ensure that the information is not viewed or accessed inadvertently or willfully by a person not a1Jthorlzed access, the employee must ensure that the information cannot be viewed by any other individual who is not authorized access.
Employees are prohibited from processing SUNS! on personally owned computers unless connected to and working within CITRIX, the NRC Broadband Remote Access System. Employees are prohibited from downloading or storing SUNS! to the hard drive of a personally owned computer when connected to and working within CITRIX. Employees are also expressly prohibited from processing SUNS! on personally owned computers even when an encrypted storage media is employed.
Employees who work at home must perform electronic processing of SUNS! on either (1) a home computer within the virtual environment provided by the agency through CITRIX, (2) an NRC-issued laptop with NRC-approved encryption software, or (3) using an NRC authorized sol1Jtion such as BYOD.
l 10P USE WHILE TRAVELING OR COMMUTING May I use the Information while on official travel or commuting to or from work?
PHYSICAL COPY TRANSMISSION May I transmit paper or electronic media including CD-ROM, disk or tape?
Yes. Abide by the following requirements:
Use of the information is discouraged whllle traveling on public transportation. To ensure that the Information Is not viewed or accessed inadvertently or willfully, the employee must ensure that It cannot be seen by persons not authorized access. Particular care should be taken on a public conveyance or in waiting rooms where others may be sitting and standing In close proximity to where the Information Is being used.
llndlvlduals should hand carry protected Information during travel only If other means for transmitting the Information, (e.g., mailing ahead, secure Information sharing), are not readily available or are operationally unacceptable. If hand carrying Is determined to be the best transport method, care must be exercised to ensure that the information Is not compromised through loss or Inadvertent access.
Information must be kept in the traveler's personal possession to extent possible, and stored, appropriately wrapped as to reveal evidence of tampering, In hotel security facilities If possible.
Information must not be saved/stored on a personally owned computer. Work must be performed on an encrypted laptop computer or other encrypted mobile IT device authorized for use per MD 12.5, to preclude unauthorized access If the laptop or device Is lost or stolen.
The Information should be returned to an NRC authorized storage location at the earliest possible opportunity.
Yes. Abide by the following requirements:
Inside the NRC (including Regions): Information may be -
Hand-carried.
Sent via NRC's interoffice mail system.
Sent via NRC pouch service between headquarters and the regions. Transmit in a single opaque envelope.
Sent via approved commercial express carriers between headquarters and the regions (time-sensitive material only; use NRC Form 420). Transmit in a single opaque envelope.
https://drupal.nrc.gov/sunsi/34639 4/6
8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRC Intranet Outside the NRC: Information may be transmitted by -
ELECTRONIC COPY TRANSMISSION May I transmit the document electronically by e-mail or fax?
STORAGE NRC Messenger/NRC contractor messenger.
U.S. Postal Service: First Class Mail, Registered Mail, Express Mail, Certified Mail. Request tracking service where available.
Hand-carried by any individual authorized access to t he information. That individual shall retain the Information In his or her possession where possible unless they place the document In the custody of another person authorized access.
Approved commercial express carriers (time-sensitive material only; use NRC Form 420); Transmit in single opaque envelope. Request tracking service where available.
Other means approved by OIS and the Director, Division of Facilities and Security, ADM.
Incoming to the NRC: Electronic submissions, including CD-ROMs, submitted to the NRC should follow the E-Rule "Guidance for Electronic Submission to the Agency," available on NRC's external Web site at: (b!!P..J/www.nrc.~_c:iy/~i.!.!c.:.~.E:.!P./electronic-sub-ref-mat.html).
Encryption:
All electronic media (CD-Rom, disk, tape, hard drives, thumb drives, etc.) must be encrypted In accordance with MD 12.5.
I,op Yes, unless restrict ed by the submitting agency. Abide by the following requirements:
Inside the NRC (Including Regions):
Information may be e-mailed or faxed.
W hen transmitting Information follow the requirements specified by the Federal, State, Foreign Government, or International agency.
Outside the NRC: Electronic transmissions (e.g., e-mail, fax) outside the NRC must be encrypted In accordance w ith MD 12.5.
Fax: May use non-secure facilities where It Is confirmed that a recipient who Is authorized to access the information will be present to receive the information.
E-mail: Please follow the guidance outlined In the Office of the Chief Information Officer announcement dated August 9, 2017.
Use of portals that encrypt the information during transmission, such as "BOX" are highly encouraged.
Electronic files must contain appropriate markings.
!OF Unless originating agency provides specific storage requirements, abide by the following requirements:
Inside the NRC (Headquarters and Regional Offices): Store in non-locking or locking container at the end of each business day or when not in use.
Outside the NRC (Resident Inspector Sites): Store In key locked desks or ot her key locked containers.
On NRC Electronic Systems: May be stored on NRC encrypted computer systems that are authorized to operate under MD.,12.5.
DESTRUCTION Unless originating agency provides specific destruction guidance, abide by the following requirements:
Official Record Version: Destroy in accordance with NRC Comprehensive Records Disposition Schedule (NUREG-0910).
Non-official Record Copies: Destroy as indicated below:
https://drupal.nrc.gov/sunsi/34639 5/6
8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRG Intranet Using an ADM/DFS approved shredder that has been approved to destroy Classified Information, Safeguards Information, SUNSI, and Controlled Unclassified Information (CUI).
Place in a Sensitive Unclassified Waste Disposal Container.
Tear into one-half inch pieces or smaller (in all dimensions) and dispose of in a waste receptacle.
Burning, pulping, pulverizing, or chemical decomposition.
Electronic Data: Use NRC authorized destruction methods in accordance with MD 12.5.
TOP DECONTROL AUTHORITY Normally decision will be referred to the originating entity. Originati ng office or office primarily responsible for the information will consult with originating entity.
i,rnP, https://drupal.nrc.gov/sunsi/34639 6/6
8/3/2020 Investigation Information I NRC Intranet You are here: Home,, Offices >> SUNSI "JO Investigation Information Investigation Information CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc.gov19 Table of Contents
- ,.A:ee.'!~.a.~le,.. ~Cl.. ~.~~-~~!... 9.~~J!Ori_e,,~,
- ~ -~rki.~g
- Use at Home "Mm........... _,.*U~U*,m**"
- Authority to Designate
- Cover Sheet
- Use While Traveling or Commuting_
- Access
- -~e,p_rod~~ti,CJ~.
- .~hysi~a,I _C_opy Tra_~s.m,is~lo_~.
- Need-to-Know Controls
- Processing on Electronic Systems
- Electronic Copy Transmission
- Stora&e
- Destruction
- Decontrol_ Authority APPLICABLE DOCUMENT CATEGORIES Any Office of Investigations (01) or Office of the Inspector General (OIG) Investigation-related documents.
AUTHORITY TO DESIGNATE 0 1: The Office Director (OD), Deputy Office Director (DOD), and Special Agents In Charge (SAIC's).
OIG: The Inspector General (IG), Deputy Inspector General (DIG), Assistant Inspector General for Investigations (AIGI), and Senior Level Assistant for Investigative Operations (SLAIO).
ACCESS Who may have access?
NEED-TO-KNOW CONTROLS Do Need-to-know controls apply?
https://drupal.nrc.gov/sunsi/34640 Personnel authorized by the designated authorities Identified under Authority to Designate, above.
.....,or..
o Need-to-know controls must be applied to the information.
o Recommend the establishment of pre-designated user groups that eKclude administrative and other selected Offices without an obvious mission need from access.
I TOP ADAI 1/5
8/3/2020 MARKING What documents should be marked?
Who may authorize document marking?
How should a document be marked?
When Is portion or page marking required?
COVERSHEET When should a cover sheet be used?
What cover sheet Is used?
REPRODUCTION How many copies may be made?
Investigation Information I NRC Intranet All documents shall be marked.
01: The Office Director (OD), Deputy Office Director (DOD), and Special Agents In Charge (SAIC's).
OIG: The Inspector General (IG), Deputy Inspector General (DIG), Assistant Inspector General for Investigations (AIGI), and Senior Level Assistant for Investigative Operations (SLAIO).
Header and footer markings specific to either 01 or OIG on each page containing Investigation Information.
Examples:
o " Official Use Only - QI Investigation Information" o "Official Use Only - OIG Investigation Information" Mark each page of -
o Any Report of Investigation o Any other designated Investigation-related document.
Portion marking Is not required since entire page must be marked.
!OP On all Reports of Investigation for both 0 1 and OIG, and any other designated Investigation-related documents.
Investigation Information Cover Sheet A TOP 01: Distribution of 0 1 Reports of Investigation (ROI) is determined and authorized by the SAIC. Any further dissemination must be authorized by t he approving official of the ROI, the SAIC, or as authorized by the Designation Authority.
OIG: As authorized by Designation Authority; o The Inspector General (IG),
o Deputy Inspector General (DIG),
o Assistant Inspector General for Investigations (AIGI), and o Senior Level Assistant for Investigative Operations (SLAIO).
I !OP PROCESSING ON ELECTRONIC SYSTEMS On what information systems may the document be processed?
Is encryption required while data Is at rest?
https://drupal.nrc.gov/sunsi/34640 01: NRC LAN and other systems authorized to operate by the NRC under MD_12,S, "NRC Cybersecurity Program."
OIG: None.
0MB has directed that all sensitive information be encrypted using only NIST-certified cryptographic modules both at rest and during transmission. NRC automatically encrypts data at rest and during 2/5
8/3/2020 M ay the information be processed in ADAMS?
USE AT HOME May I use the document at home?
May I use the Information at home under the NRC Flexible Workplace Program?
https://drupal.nrc.gov/sunsi/34640 Investigation Information I NRC Intranet transmission within NRC facilities. Any SUNS! that Is outside of NRC facilities must be encrypted at rest.
No, for bot h 01 and OIG Investigation Information. ADAMS Sensitivity Code: Not Applicable No, for OIG Investigation Information.
For QI Investigation Information:
A !OP
- 1) QLpersonnel must have the Director of Ol's approval to use Investigation Information at home.
- 2) Other NRC staff must comply with the following:
o 01 has Implemented a procedure to facilitate the limited use of Investigation Information by other NRC staff outside of NRC-controlled space. The procedure requires Office Directors and Regional Administrators to determine it appropriate and necessary for their staff to use Investigation Information outside of NRC-controlled space to complete high priority work projects. Office Directors and Regional Administrators must then make a request for such limited use via memorandum to the Director of 01. The Director of 01 will authorize requesting NRC staff to remove the Investigation Information from NRC-controlled space on a case-by-case basis. This agreement will include specific handling requirements and procedures for Investigation Information under t he control of the NRC staff members.
o To ensure that the information Is not viewed or accessed Inadvertently or willfully by a person not authorized access, the employee must ensure that the Information cannot be seen by a family member, guest, or any other Individual who Is not authorized access.
o Employees are prohibited from using, handling, and storing Investigation Information at their residences and on personally owned devices or sending Information to non-NRC email addresses (e.g., personal email accounts). Electronic work from home must use an NRC computer or an NRC authorized capability, such as CITRIX.
No, for OIG Investigation Information.
For QI Investigation Information:
A !OP
- 1) 01 personnel must have the Director of Ol's approval to use Investigation Information at home.
- 2) Other NRC staff must comply with the following ;
o 01 has Implemented a procedure to facilitate the limited use of Investigation Information by other NRC staff outside of NRC-controlled space. The procedure requires Office Directors and Regional Administrators to determine it appropriate and necessary for their staff to use Investigation Information outside of NRC-controlled space to complete high priority work projects. Office Directors and Regional Administrators must then make a request for such limited use via memorandum to the Director of OI. The Director of 01 will authorize requesting NRC staff to remove the Investigation Information from NRC-controlled space on a case-by-case basis. This agreement will include specific handling requirements and procedures for Investigation Information under t he control of the NRC staff members.
o To ensure that the Investigation Information is not viewed or accessed inadvertently or willfully by a person not authorized access, the employee must ensure that the Investigation Information cannot be seen by a family member, guest, or any other individual who is not aut horized access.
o Employees are prohibited from processing SUNSI on personally owned computers unless connected to and working within CITRIX, the NRC Broadband Remote Access System. Employees are prohibited from downloading or storing SUNSI to the hard drive of a home computer when connected to and working wit hin CITRIX. Employees are also prohibited expressly from processing SUNSI on home computers even when an encrypted storage media is employed.
3/5
8/3/2020 Investigation Information I NRC Intranet o Employees who work at home must perform electronic processing of SUNSI on either (1) a home comput er within the virtual environment provided by the agency through CITRIX or (2) an NRC-issued laptop with NRC-approved encryption software.
...... IOP.
USE WHILE TRAVELING OR COMMUTING M ay I use the information while on official travel or commuting to or from work?
PHYSICAL COPY TRANSMISSION M ay I transmit paper or electronic media including CD-ROM, disk or tape?
Yes, while on official travel with the proper security for both 0 1 and OIG.
Hand carry protected information taking care to ensure that the Investigation Information is not compromised through loss or Inadvertent access.
Investigation Information must be kept in traveler's personal possession to the extent possible, and stored, appropriately wrapped, in hotel security facilities If possible.
Return Investigation Information to an NRC authorized storage location at the earliest possible opportunity.
Information must not be saved/stored on a personally owned computer or sent to non-NRC email addresses (e.g., personal email accounts). Work must be performed on an encrypted laptop computer or other encrypted mobile IT device authorized for use per MD __ 12.S to preclude unauthorized access If the laptop or device is lost or stolen.
Inside the NRC:
01:
OIG:
Outside the NRC:
01:
OIG:
Encryption:
I !OJ'
- Normally, hand carried.
- For internal mall, double-sealed "Addressee Only" envelope.
- Between field offices and between a field office and HQ, commercial carrier may be used.
- Normally, hand-carried
- For internal mail, double-sealed "Addressee Only" envelope.
- Normally, hand-carried, commercial carrier or registered mail.
- Only hand-carried or registered mall.
All electronic media (CD-ROM, disk, tape, hard drives, thumb drives, etc.) must be encrypted in accordance with MD 12.5.
I !OP ELECTRONIC COPY TRANSMISSION May I transmit the document electronically by e-mail or fax?
OIG Investigation Information:
o No, for OIG Investigation Information.
01 Investigation Information:
https://drupal.nrc.gov/sunsi/34640 4/5
8/3/2020 STORAGE Inside NRC:
Investigation Information I NRC Intranet 0 QI Personnel and NRC staff must have the Director of Ol's approval to transmit Of Investigation Information electronically by email or fax. If approved, 0 1 Personnel and NRC staff are required to encrypt Of Investigation Information using FIPS 140-2 va lidat ed encryption modules operated in Ff PS mode prior to sending it in accordance w ith Management Directive 12.5 "NRC Cybersecurity Program". This information should only be shared with individuals with a need-t o-know.
Electronic transmissions (e.g., e-mail, fax) outside the NRC must be encrypted in accordance w ith MD,_12._5.
IOP For both 01 and OIG: Investigation Information must be stored In safes, locked cabinets, or a limited access area protected by a card reader or other access control device.
Outside NRC:
QIG lnvestjgatjon lnformatjon: If taken outside the NRC to another U.S. Government office, the information should be stored the same as inside the NRC, except as specified In "USE WHILE TRAVELING OR COMMUTING.
01 lovestjgatjon loformatjon: If taken outsl,de the NRC to use at home, paper-based records should be transported In portfolios, briefcases, or similar devices that are locked when the records are not in use. These containers should be identifiable by tag, label or decal with NRC contact and malling Information. Follow the Instructions specified above for "USE WHILE TRAVELING OR COMMUTING.
On NRC Electronic Systems: Encrypted andl password protected access for both Of and OIG Investigation Information.
TOP DESTRUCTION For OIG, follow OIG guidance in accordance with NUREG-0910, "NRC Comprehensive Records Disposition Schedule."
For 01:
o Use an ADM/DFS approved shredder that is approved to destroy classified Information, Safeguards Information, SUNSI, and Controlled Unclassified Information.
o Place In Sensitive Unclassified Waste Disposal Containers.
o ELECTRONIC DATA: Use NRC authorized destruction methods In accordance with MD 12.5 or return to 01.
I TO~
DECONTROL AUTHORITY 01: The Office Director (OD), Deputy Office Director (DOD), and Special Agents In Charge (SAIC's).
OIG: The Inspector General (IG), Deputy Inspector General (DIG), Assistant Inspector General for Investigations (AIGI), and Senior Level Assistant for Investigative Operations (SLAIO).
i IOP https://drupal.nrc.gov/sunsi/34640 5/5
UNITED STATES NUCLEAR REGULATORY COMMISSION Yellow Announcement: YA-16-0052 Date: May 23, 2016 Expiration Date: July 1, 2019 TO:
All NRC Employees
SUBJECT:
CHANGE TO NEED-TO-KNOW DEFINITION The purpose of this Yellow Announcement is to update the "need-to-know" definition in Management Directive (MD) 12.0, "Glossary of Security Terms." The revised definition of "need-to-know" is as follows:
Need-to-Know
- 1. A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.
- 2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.
Please note that MD 12.0 will be updated to include the revised definition. If you have any questions, please contact Denis Brady at (301) 415-5768.
IRA/
Cynthia A. Carpenter, Director Office of Administration Management Directive
Reference:
MD 12.0, "Glossary of Security Terms," Directive Section 11, and MD 12.1, "NRC Facility Security Program," Handboolk Section IV.B
ML16111A432 OFFICE ADM/DFS/FSB ADM/DFS/FSB/BC ADM/DFS/DD NAME ARoundtree DBrady SSchoenmann DATE 04/20/2016 04/20/2016 05/17/2016 OFFICE ADM/DFS/D ADM/DD ADM/D NAME TPulliam SStewart CCarpenter DATE 05/17/2016 05/23/2016 05/23/2016