Text

Mr. Andrew N. Mauer, Senior Director Regulatory Affairs Nuclear Energy Institute 1201 F Street, NW, Suite 1100 Washington, DC 20004

SUBJECT:

RESPONSE TO THE NUCLEAR ENERGY INSTITUTE LETTER DATED APRIL 1, 2022, ON THE U.S. NUCLEAR REGULATORY COMMISSIONS CONTROLLED UNCLASSIFIED INFORMATION PROGRAM IMPLEMENTATION.

Dear Mr. Mauer:

On March 28, 2022, the U.S. Nuclear Regulatory Commission (NRC) conducted its third public meeting on controlled unclassified information (CUI) to continue its discussions with NRC external stakeholders (e.g., licensees, applicants, Agreement State regulators) on the following:

the NRCs plans to discontinue the sensitive unclassified non-safeguards information (SUNSI) program and to implement the NRCs CUI program on September 20, 2022 the potential impacts to NRC external stakeholders resulting from the NRCs plans to transition to CUI potential alternatives under NRC consideration to minimize the burden on NRC external stakeholders of complying with National Institute of Standards and Technology (NIST)

Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, issued December 2016 The NRC has made all information related to this public meeting available in the Agencywide Documents Access and Management System (ADAMS) at Accession No. ML22095A160.

In addition to comments provided by the Nuclear Energy Institute (NEI) during the public meeting, you also sent a letter dated April 1, 2022, on behalf of your members (ADAMS Accession No. ML22110A178) expressing several concerns about the NRCs CUI timeline and approach to implement Title 32 of the Code of Federal Regulations Part 2002, Controlled Unclassified Information (CUI) (CUI Rule). Specifically, you expressed that the expectation for NRC external stakeholders to implement an information system consistent with NIST SP 800-171 is not justified for external stakeholders that do not want to receive and download CUI electronically from the NRC. In your letter, you also recommended that the NRC adopt an approach that supports sharing of CUI with external stakeholders through electronic portals or mailing hard copies of CUI through the U.S. mail to minimize the burden on NRC external stakeholders of complying with NIST SP 800-171. Finally, until alternative methods to share CUI with NRC external stakeholders are identified, you recommended that the NRC delay May 3, 2022 A. Mauer 2

implementing its CUI program. On April 15, 2022, STARS Alliance, LLC, submitted a letter (ADAMS Accession No. ML22122A185) to the NRC to express their full support of the comments you submitted on April 1, 2022.

First, I would like to clarify the applicability of the standards in NIST SP 800-171 in the context of the NRCs transition to CUI. The CUI Rule requires agencies to use NIST SP 800-171 when establishing security requirements to protect the confidentiality of CUI on non-Federal information systems (unless the authorizing law, regulation, or Governmentwide policy listed in the CUI Registry for the CUI category or subcategory of the information involved prescribes specific safeguarding requirements for protecting the informations confidentiality, or unless an agreement establishes requirements to protect CUI Basic at higher than moderate confidentiality). The NRC intends to implement this CUI requirement through its written agreements with nonexecutive branch entities, as exemplified by the draft NRC CUI information-sharing agreement included in the background materials for the March 28, 2022, public meeting. However, NRC stakeholders that do not intend to process, store, or transmit CUI on their non-Federal information systems will not need to satisfy these NIST standards.

Recognizing the challenge that compliance with NIST SP 800-171 may pose for those that do receive CUI on their non-Federal information systems, the NRC has engaged external stakeholders, including the NEI, on several occasions since the CUI Rule was issued to discuss alternative methods of disseminating CUI to such stakeholders. For example, in a March 2019 public meeting, the NRC staff indicated that it was considering developing an online portal that would enable licensees to view documents. During the meeting, the NRC staff sought clarification on whether licensees would need to download and print information made accessible through an online portal. The initial feedback received from industry representatives was that CUI shared through any such portal would need to be downloaded, forwarded, and potentially printed, not just viewed. In addition, a small number of NRC external stakeholders that currently receive SUNSI in hardcopy format would expect to continue to receive any CUI from the NRC in a similar manner. Finally, the external stakeholders also expressed that a CUI portal would only help alleviate the burden of complying with NIST SP 800-171 if other Federal agencies also used the same portal to share CUI with NRC external stakeholders.

In a March 2020 public meeting, the NRC again indicated its preference to develop a portal that would allow licensees to view CUI without transmitting, processing, or storing it on the licensees non-Federal systems. Feedback from some external stakeholders reiterated the need for an option to download documents. Lastly, during the September 2020 virtual NEI Regulatory Affairs Forum, the NRC staff discussed the issue of disseminating CUI to external stakeholders in a manner that meets the standards of NIST SP 800-171. Based on external stakeholder feedback on the suggested portal, the staff indicated that the NRC will continue to explore other options to share CUI with such stakeholders. In light of NRC external stakeholders interest in taking possession of (i.e., possessing, storing, or transmitting) CUI, the staff described the minimum conditions needed to take possession of CUI on a non-Federal information system.

Specifically, the staff indicated that external stakeholders need a system security plan (SSP) and plan-of-action milestones (POAM) in place by the time the agency transitions to CUI. The NRC staff also pointed licensees to the references available on the NIST website1 to support their development of the SSP and POAM.

As stated during the March 28, 2022, meeting, the NRC is no longer considering the development of a CUI portal. Even with the use of a CUI portal, some external stakeholders still

1 https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final A. Mauer 3

anticipate that they will need to take possession of CUI onto their non-Federal information system. Therefore, the NRC is continuing to evaluate an alternative approach to support external stakeholders that do not want to take possession of CUI they receive from the NRC and are content with having view-only access. Likewise, any external stakeholders that intend to take possession of CUI onto a non-Federal information system would need to commit to developing a SSP and POAM to meet the standards of NIST SP 800-171.

Next, I would like to address your concern that the NRCs expected transition date to CUI should be delayed to permit the exploration of alternative methods to share CUI with external stakeholders.

During the March 28, 2022, public meeting, the NRC shared its estimated timeline to transition to CUI on September 20, 2022. On September 20, 2022, the NRC expects that the agency staff and contractors would begin applying CUI banner markings to documents containing CUI and discontinue their use of any Official Use Only markings associated with the NRCs SUNSI program. As part of the transition, the NRC intends to begin entering into written agreements with nonexecutive branch entities before sharing CUI, whenever feasible, which will set forth requirements and expectations for the appropriate handling of the information. If such agreements are not finalized by the transition date, the NRC may utilize other communication tools to strongly encourage the appropriate protection of CUI until such agreements are finalized.

As background, during the March 2020, public meeting, the NRC staff informed external stakeholders of its intent to transition to CUI in fall 2022. This estimate was based on the fact that the NRC was still developing its CUI Policy Statement and NRC staff guidance. On November 12, 2021, the NRC published its CUI Policy Statement in the Federal Register, followed by Management Directive 12.6, NRC Controlled Unclassified Information Program (ADAMS Accession No. ML21223A168) on December 3, 2021. These key documents laid the foundation for the NRC staff to communicate its CUI policy while moving forward with any remaining tasks (i.e., mandatory CUI training for NRC staff and contractors) to permit the NRC to proceed with its transition to CUI on September 20, 2022.

Furthermore, in SECY-18-0035, Update on Development of the Controlled Unclassified Information Program, dated March 8, 2018 (ADAMS Accession No. ML18065B107), the NRC staff identified its plan to implement the NRCs CUI program while engaging with external stakeholders to communicate the CUI Rule requirements and to identify and proactively address any potential challenges. The NRC staff has actively worked to implement the CUI Rule and has continued to follow the approach described in SECY-18-0035 to support effective coordination with stakeholders to minimize unintended consequences while still implementing the CUI Rule on a schedule comparable to those of other Federal agencies.

Any future decisions to delay the NRCs transition to CUI beyond September 20, 2022, would continue to be based upon these guiding principles, to ensure that CUI shared by the NRC staff with external stakeholders is protected in a manner consistent with the CUI Rule and the NRCs CUI policy as described in Management Directive 12.6. Additionally, as explained above, the NRC does not intend to require stakeholders to commit to meeting the standards of NIST SP 800-171 in written agreements if the stakeholder does not intend to take possession of CUI onto a non-Federal information system. We hope this clarification alleviates your concern with the NRCs upcoming CUI transition.

A. Mauer 4 In closing, I want to thank you for your comments, and I hope this response clarifies the NRCs CUI implementation plans. The NRC looks forward to continuing working with you and other external stakeholders to address concerns as the agency works to complete its CUI transition.

Sincerely, Scott C. Flanders, Deputy Chief Information Officer Office of the Chief Information Officer Signed by Flanders, Scott on 05/03/22

ML22118A860; Ltr ML22110A175

• via email OFFICE OCIO/GEMSD ADM/DRMA* OCIO/CISO OGC/GCRPS

/LCLSP/NLO NAME TMensah TM JDougherty JDJFeibus JF EMichel EM DATE Apr 28, 2022 Apr 28, 2022 Apr 29, 2022 May 3, 2022 OFFICE OCIO/DD NAME SFlanders SF DATE May 3, 2022