March 28, 2022, NRC CUI Virtual Public Meeting Presentation

ML22081A285
Person / Time
Issue date:	03/28/2022
From:	Tanya Mensah Governance & Enterprise Management Services Division
To:
Tanya Mensah; 301-415-3610
Shared Package
ML22081A343	List: ML22081A285 ML22081A315
References
Download: ML22081A285 (32)
v • d • e

Text

U.S. Nuclear Regulatory Commission (NRC)

Controlled Unclassified Information (CUI)

Virtual Public Meeting March 28, 2022 Scott Flanders, Deputy Chief Information Officer Tanya Mensah, CUI Program Manager Office of the Chief Information Officer (OCIO)

US Nuclear Regulatory Commission (NRC)

Purpose To continue discussions with NRC stakeholders (i.e., licensees, Agreement States, etc.) regarding the NRCs plans to implement a Controlled Unclassified Information (CUI) program.

Key Messages NRC CUI Schedule General Overview Impacts to NRC Stakeholders Q&A Session 2

Reminder: Please do not put questions in the chat.

You will have the opportunity to ask questions or comment at a designated time in the meeting.

The NRC plans to transition to CUI on September 20, 2022.

CUI will:

Replace the NRCs current Sensitive Unclassified Non-Safeguards Information (SUNSI) Program.

Includes Safeguards Information (SGI) and SGI-Modified Handling (SGI-M)

[10 CFR Part 73, Physical Protection of Plants and Materials requirements remain the same]

Before transitioning, all NRC employees and contractors will be required to complete mandatory NRC CUI training during the summer of 2022.

All NRC employees and contractors continue to follow the existing agency policy for Sensitive Unclassified Non-Safeguards Information (SUNSI), which remains in effect until CUI is implemented.

The NRC is committed to minimizing the impact of this transition for NRC internal and external stakeholders, to the extent practicable.

Key Messages 3

is coming

Key NRC CUI Implementation Tasks & Estimated Milestones 4

Published the NRCs high-level CUI Policy Statement in the Federal Register on November 12, 2021.

NRC CUI Policy Statement Published MD 12.6, NRC Controlled Unclassified Information Program on December 3, 2021.

Available on the NRCs CUI Public Website: https://www.nrc.gov/reading-rm/cui.html NRC CUI Implementing Policy & Guidance Deploy mandatory CUI training for NRC employees and contractors (Goal: June 1, 2022).

NRC CUI Training Publish Final Rule (Goal: August 2022)

This rulemaking consists of nomenclature changes proposed to existing regulations in 10 CFR Part 2, Agency Rules of Practice and Procedure, to avoid potential confusion once the SUNSI program is discontinued.

Reference:

SECY-21-0105: Final Rule: Controlled Unclassified Information CUI Rulemaking (Administrative)

Establish CUI information-sharing agreements with non-Executive entities (Goal: August/September 2022)

CUI Written Agreements Estimated NRC Transition from SUNSI to CUI (Goal: September 20, 2022)

NRC Sensitive Unclassified Non-Safeguards Information (SUNSI) Program

• SUNSI is:

• The NRCs current program to protect information that is generally not publicly available and encompasses a wide variety of categories (e.g., personnel privacy, attorney-client privilege, confidential source, etc.).

• Any information where the loss, misuse, modification, or unauthorized access can reasonably be foreseen to harm the public interest, the commercial or financial interests of the entity or individual to whom the information pertains, the conduct of NRC and Federal programs, or the personal privacy of individuals.

5

What Is CUI?

6 CUI is information that is not classified, but that Federal law, regulation, or governmentwide policy either requires or permits an agency to handle using safeguarding and dissemination controls.

The CUI Program:

(1) Standardizes the way the Federal government handles information that is not classified or Restricted Data but requires protection.

(2) Replaces more than one hundred different agency policies and associated markings with one shared policy (i.e., CUI) and standardized markings for Federal executive branch agencies.

(3) Directly applies to executive branch agencies that designate or handle CUI, and indirectly applies through formal CUI written agreements or arrangements to non-executive branch recipients.

Key Differences Between SUNSI and CUI

• As defined in 32 CFR 2002, Controlled Unclassified Information and the NARA CUI Registry, there are:

• Specific marking and handling requirements for CUI

• Specific requirements for Federal and non-Federal IT Systems

• Controlled environment requirements

• Destruction requirements

• Decontrolling requirements

• Challenge, waiver, incident response, and self-assessment requirements

• Formal CUI information-sharing agreements are required, where feasible, when sharing CUI.

7

Public Access to NRC Information

• The CUI program:

• Addresses how executive branch agencies handle and share information for agency business purposes.

• Does not affect public rights to information under the Freedom of Information Act or the Privacy Act.

• Does not require agencies to change their policies on public release of information to the general public.

8

NRC External Outreach 9

NRC CUI Public Meetings

-July 25, 2019 (ADAMS Number: ML19211B785)

-March 5, 2020 (ADAMS Number: ML20079H844)

Office of Nuclear Reactor Regulation (NRR)

- NRC Regulatory Issues Task Force Public Meetings Office of Nuclear Material Safety and Safeguards (NMSS)

- Annual Conference of Radiation Control Program Directors (CRCPD) Meeting

- NRC Monthly Status Call with the Agreement States NRC CUI Public Website (https://www.nrc.gov/reading-rm/cui.html)

Nuclear Energy Institute (NEI) Virtual Regulatory Affairs Forum (September 16, 2020)

(NRC and NARA participated on the CUI Panel to provide a CUI update to the industry fleet)

Two Types of CUI CUI Basic

• Information type for which laws, regulations, or governmentwide policies require or permit pro do not set out specific handling or dissemination controls.

• Agencies protect CUI Basic per the uniform controls established in 32 CFR 2002, Controll Unclassified Information Program and the NARA CUI Registry. (https://www.archives.go CUI Specified

• Information type for which laws, regulations, or governmentwide policies require or permit pr also include one or more specific handling standards for that information (e.g., unique marking physical safeguards, limits on who can access the information).

• Agencies protect the information at the CUI Basic Level, except where laws, regulations, governmentwide policies specify something different.

Common NRC CUI Categories*

CUI Basic Categories

• Archaeological Resources

• Emergency Management

• General Law Enforcement

• General Privacy (e.g., Personally Identifiable Information)

• General Proprietary Business Information

• Information Systems Vulnerability Information

• Investigation

• Legal Privilege

• Operations Security

• Physical Security Information

• Whistleblower Identify (previously allegations)

CUI Specified Categories

• Budget

• Critical Electric Infrastructure Information

• Criminal History Records Information

• Export Controlled

• Historic Properties

• International Agreement Information

• Naval Nuclear Propulsion Information

• Nuclear Security-Related Information

• Protected Critical Infrastructure Information

• Safeguards Information

• Source Selection

• Unclassified Controlled Nuclear Information - Energy 11

• NARA CUI Registry:

https://www.archives.gov/cui/registry/category-list

General NRC CUI Banner Marking Requirements

• The primary marking for all CUI is the CUI Banner Marking.

• This is the main marking that appears at the top of each page of any document that contains CUI.

• The banner marking is mandatory because it alerts the recipients to the fact that the document contains CUI.

• NRC CUI Banner Marking Format

• CUI//CATEGORY MARKING(S)//DISSEMINATION

• Bold, capitalized black text, and centered.

• Top Only

• Category markings:

• Listed in the CUI Registry:

https://www.archives.gov/cui/registry/category-marking-list

• After the CUI// in the banner, any CUI Specified categories are listed first in alphabetical order, followed by any CUI Basic categories in alphabetical order.

• A document may contain multiple CUI categories.

12

NRC Legacy Document Waiver Requirements

32 CFR 2002.36: When the agency deems remarking legacy documents to be excessively burdensome, the CUI Senior Agency Official may grant a legacy material marking waiver.

NRC Management Directive 12.6:

The remarking of legacy materials is not required while the information remains under agency control.

The document must be appropriately marked as CUI, if its being disseminated outside the agency or if the information is being reused.

When re-using any legacy information that qualifies as CUI, the authorized holder must remove or redact legacy markings and designate or re-mark the information as CUI.

13 Legacy Information is unclassified information that an agency marked as restricted from access or dissemination in some way, or otherwise controlled, prior to the CUI Program.

How Will CUI Impact Non-Executive Branch Entities?

14 CUI only includes information the government creates or possesses, or that an entity (e.g., contractor) creates or possesses on behalf of the government.

Non-executive branch entities only have to apply CUI controls to information received from the Federal government pursuant to a written agreement or arrangement.

CUI does not supersede or replace other laws, regulations, or governmentwide policies, which may impose their own control requirements (e.g., 10 CFR Part 73, Physical Protection of Plants and Materials, controls for Safeguards Information (SGI)).

Continue to comply with the marking requirements specified in NRC regulations.

• 10 CFR 2.390, Public inspections, exemptions, requests for withholding

• 10 CFR Part 73, "Physical Protection of Plants and Materials"

CUI Information-Sharing Agreements (32 CFR 2002.16(a)(5))

• Agencies should enter into a formal information-sharing agreement, whenever feasible, when sharing CUI with a non-executive branch entity.

• When an agency cannot enter into formal agreements, but the agencys mission requires it to disseminate CUI to non-executive entities, the Government strongly encourages non-executive entities to protect CUI in accordance with the CUI Rule.

• CUI protections should also accompany the CUI if the non-executive entity disseminates it further.

15

NIST SP 800-171 Compliance

• The CUI rule identifies National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171* as containing the security requirements for protecting CUI's confidentiality on non-Federal information systems.**

• All agencies must prescribe, at a minimum, the requirements of NIST SP 800-171 when sharing electronic CUI with non-executive entities that are not operating an information system on behalf of the agency.

• https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

• • NIST CUI Information Security Requirements Workshop:

https://www.nist.gov/news-events/events/2018/10/controlled-unclassified-information-security-requirements-workshop 16

When Do Non-Executive Entities Need To Meet The Requirements In NIST SP 800-171?

During the March 5, 2020, NRC CUI Public Meeting, NARA discussed the following:

No established deadline.

Non-executive entities should have a system security plan (SSP) and plan of action milestones (POAM) in place by the time the agency transitions to CUI.

Agencies have flexibility to coordinate with non-executive entities to establish any deadlines.

• NRCs goal is to:

• Support an effective transition to CUI for non-executive entities.

• Consider NRC stakeholder feedback to establish a reasonable deadline for non-executive branch entities to comply with NIST SP 800-171.

17

How Will The NRC Share CUI With Non-Executive Branch Entities?

• The NRC considered the development of a CUI portal to minimize the burden on non-executive entities to comply with NIST SP 800-171.

• An NRC CUI portal does not appear to be feasible:

• Only alleviates the burden of complying with NIST SP 800-171 if other agencies that are sharing CUI are also using the same portal.

• Does not eliminate the need for a large majority of entities to download CUI they receive from the NRC.

• Is not ideal for entities that prefer to receive CUI in hard copy format.

• The NRC is currently exploring an alternative to securely share CUI with non-executive entities.

18

Does The NRC Plan To Conduct Inspections To Verify Non-Executive Entity Compliance With NIST SP 800-171?

Level 1

• Non-executive entity self-certifies that they comply with NIST SP 800-171.

• Non-executive entity develops and maintains required NIST SP 800-171 documentation (system security plan (SSP) and plan of action milestones (POAM)).

Level 2

• Non-executive entity submits their SSP and POAM to the agency for review.

• NARA has shared that requesting and reviewing system security plans (SSPs) is burdensome on an agency and potentially puts CUI at more risk than necessary.

Level 3

• If agencies choose to inspect or audit non-executive entities, they must use NIST SP 800-171A.

• Provides the NRC with the opportunity to selectively validate the non-executive entities policies and procedures and to identify potential gaps in relation to NIST SP 800-171.

19 NRC

What Are The NRCs Plans To Establish Formal Information-Sharing Agreements?

20 NRC Goal

• Partner with NARA and other Federal agencies to develop a draft multiagency CUI information-sharing agreement.

• DHS, DOD, DOE, DOT, FERC, OSHA, EPA, etc.

DRAFT NRC CUI Information-Sharing Agreement (Under development)

• Intended for use with NRC stakeholders that receive CUI from multiple federal agencies.

• Proposed Format

• Body (high-level provisions applicable to all agencies)

• Appendices (agency-specific)

What Is The Estimated NRC Schedule To Establish Information-Sharing Agreements?

21 General Task Status Identify NRC Stakeholders (Licensees, Agreement States, Applicants, Vendors, Owners Groups, Contractors, etc.)

Completed Awareness Communication and Gather Feedback In progress Develop General Information-Sharing Agreement In progress Share General Agreement with NRC External Stakeholders In progress Coordinate with NARA & Other Federal Agencies In Progress Coordinate with NRC Program Offices for Targeted Meetings/Discussions with Non-Executive Entities TBD Non-Executive Entities Sign Agreement Prior to the NRCs CUI Implementation Date of September 20, 2022 (estimated).

~August/September 2022

• Alternative approaches may need to be explored with specific groups of NRC external stakeholders.

How Should NRC Legacy Information Be Handled By Non-Executive Entities?

• Non-executive branch entities:

• Do not have legacy information unless specified in an information-sharing agreement.

• Have information that was received prior to the agency transition to CUI.

• Continue to protect information received prior to the agency transition to CUI.

• Non-executive entities do not have to modify those protections unless specified in an information-sharing agreement.

• Should not apply CUI markings on information that is not developed for the government or on behalf of the government.

• Since there are incident security reporting requirements for CUI, its important for non-executive entities to distinguish between information that belongs (or does not belong) to the government.

22

NRC Path Forward 23 Maintain communications with NRC internal and external stakeholders regarding the NRCs plans to transition to CUI.

1 Establish formal information-sharing agreements between the NRC and its stakeholders.

2 Enter into partnerships with other agencies in the energy sector that have a similar regulatory mission as the NRC.

3 Align with various NRC external stakeholders on a timeline to meet the NIST SP 800-171 requirements and implement any NRC alternatives to minimize burden on the recipient.

4

How Can You Obtain Additional Information?

• NRC CUI Program Contact

• Scott Flanders, OCIO Deputy Chief Information Officer

• Jon Feibus, Acting NRC CUI Senior Agency Official

• Tanya Mensah, NRC CUI Program Manager

• Email: CUI@nrc.gov

• NARA CUI Website (https://www.archives.gov/cui)

• CUI Registry

• Policy & Guidance

• Training (NARA CUI videos)

• CUI Blog

• CUI Program Update To Stakeholders Meeting

• NRC CUI Public Website: https://www.nrc.gov/reading-rm/cui.html 24

CUI Reference/Background Information 25

Why is the CUI Program Necessary?

Executive departments and agencies apply their own ad-hoc policies and markings to unclassified information that requires safeguarding or dissemination controls, resulting in:

Executive departments and agencies apply their own ad-hoc policies and markings to unclassified information that requires safeguarding or dissemination controls, resulting in:

An inefficient patchwork system with more than 100 different policies and markings across the executive branch Inconsistent marking and safeguarding of documents Unclear or unnecessarily restrictive dissemination policies Impediments to authorized information sharing 26

Executive Order 13556

• Established CUI Program

• Required agencies to review and identify categories of unclassified information requiring safeguarding or dissemination controls by existing law, regulation, or governmentwide policy.

• Promotes information sharing with federal partners (e.g.,

industry, academia, licensees, vendors, States).

• Designated an Executive Agent (EA) to implement Executive Order 13556 and oversee department and agency actions to ensure compliance.

• National Archives and Records Administration (NARA)

• Information Security Oversight Office (ISOO) 27

CUI Rule

• 32 CFR 2002 (September 14, 2016) [CUI Rule]

• Implements the CUI Program

• Establishes policy for designating, handling, and decontrolling information that qualifies as CUI

• Effective: November 14, 2016 (Day 0)

• Describes the minimum protections (derived from existing agency practices) for CUI

• Physical and Electronic Environments

• Marking

• Sharing

• Destruction

• Decontrol 28

NARA CUI Registry 29 The CUI Registry, maintained and managed by the NARA, identifies all approved CUI categories, provides general descriptions for each category identifies the basis for controls, establishes markings, and includes guidance on handling procedures.

The registry contains

• Categories

• Limited Dissemination Controls

• Marking Guidance

• CUI Notices

• Training and Awareness

• Annual CUI Status Reports to the President CUI Registry = What we protect https://www.archives.gov/cui/registry/category-list

How Will Documents Be Marked When Sent From the NRC? (e.g., SGI) 30

• More examples of how the NRC will mark CUI are expected to be included in the appendix of the CUI NDA.

Marking Required Per Authority CUI Banner An organization or individual applies the marking as required by law or regulation.

The NRC staff must leave the required marking intact on the document and also apply the appropriate CUI banner below the marking required per authority.

S SAFEGUARDS INFORMATION All SGI (both internal to the NRC and external to the NRC) will continue to have the specific markings required per an authority (i.e., 10 CFR 73.22(d) or 10 CFR 73.23(d)).

SAFEGUARDS INFORMATION Non-Executive Entity Marking S

SAFEGUARDS INFORMATION CUI//SP-SGI The NRC must leave the required marking per Part 73 intact and also apply the appropriate CUI banner below the marking required per authority in the header only.

SAFEGUARDS INFORMATION NRC Applies CUI Marking

How Will Documents Be Marked When Sent From the NRC? (e.g., Proprietary) 31

• Agency markings are expected to be included in the appendix of the CUI NDA Marking Required Per Authority CUI Banner An organization or individual applies the marking as required by law or regulation.

The NRC staff must leave the required marking intact on the document and also apply the appropriate CUI banner below the marking required per authority.

S WITHHOLD UNDER 10 CFR 2.390 All Proprietary information submitted to the NRC will continue to have the specific markings required per an authority (i.e., 10 CFR 2.390).

WITHHOLD UNDER 10 CFR 2.390 Non-Executive Entity Marking S

WITHHOLD UNDER 10 CFR 2.390 CUI//PROPIN The NRC must leave the required marking per Part 73 intact and also apply the appropriate CUI banner below the marking required per authority in the header only.

WITHHOLD UNDER 10 CFR 2.390 NRC Applies CUI Marking

32 How Will The NRC Apply Portion Markings To NRC-Created Documents?

• This is an example of a NRC-created document that contains multiple CUI categories.

• The NRCs CUI Policy recommends that staff separate CUI from the main body of a document, into an Enclosure, where feasible.

• Portion marking is encouraged. Only certain CUI categories require portion marking at the NRC.

S CUI//SP-SRI//PROPIN

SUBJECT:

(U) Marking Instructions (U) When portion marking is used and a paragraph does not contain any CUI, (U) is used at the beginning of the paragraph.

(CUI//PROPIN) The portion mark contains CUI// followed by the CUI marking(s) and the limited dissemination markings. This paragraph contains General Proprietary Business Information (PROPIN), a CUI Basic category. The category marking order is the same as is required in the banner.

(CUI//SP-SRI) More than one CUI category may exist within an NRC document. If so, the document must be marked to identify all of the CUI categories that are included within the document. This paragraph contains Nuclear Security-Related Information (SP-SRI),

a CUI Specified category.

(U) The CUI banner must identify all of the CUI categories that are included in the document.