ML22116A043

From kanterella
Jump to navigation Jump to search
March 28, 2022, NRC CUI Virtual Public Meeting Presentation
ML22116A043
Person / Time
Issue date: 03/28/2022
From: Scott Flanders
NRC/OCIO
To:
Shared Package
ML22095A160 List:
References
Download: ML22116A043 (1)
v  d  e


Text

U.S. Nuclear Regulatory Commission (NRC)

Controlled Unclassified Information (CUI)

Virtual Public Meeting March 28, 2022 Scott Flanders, Deputy Chief Information Officer Tanya Mensah, CUI Program Manager Office of the Chief Information Officer (OCIO)

US Nuclear Regulatory Commission (NRC)

Purpose To continue discussions with NRC stakeholders (i.e., licensees, Agreement States, etc.) regarding the NRCs plans to implement a Controlled Unclassified Information (CUI) program.

Impacts to NRC CUI General Key Messages NRC Q&A Session Schedule Overview Stakeholders Reminder: Please do not put questions in the chat.

You will have the opportunity to ask questions or comment at a designated time in the meeting.

2

Key Messages is coming The NRC plans to transition to CUI on September 20, 2022.

CUI will:

Replace the NRCs current Sensitive Unclassified Non-Safeguards Information (SUNSI) Program.

Includes Safeguards Information (SGI) and SGI-Modified Handling (SGI-M)

[10 CFR Part 73, Physical Protection of Plants and Materials requirements remain the same]

Before transitioning, all NRC employees and contractors will be required to complete mandatory NRC CUI training during the summer of 2022.

All NRC employees and contractors continue to follow the existing agency policy for Sensitive Unclassified Non-Safeguards Information (SUNSI), which remains in effect until CUI is implemented.

The NRC is committed to minimizing the impact of this transition for NRC internal and external stakeholders, to the extent practicable.

3

Key NRC CUI Implementation Tasks & Estimated Milestones NRC CUI Policy Statement Published the NRCs high-level CUI Policy Statement in the Federal Register on November 12, 2021.

NRC CUI Implementing Policy & Guidance Published MD 12.6, NRC Controlled Unclassified Information Program on December 3, 2021.

Available on the NRCs CUI Public Website: https://www.nrc.gov/reading-rm/cui.html NRC CUI Training Deploy mandatory CUI training for NRC employees and contractors (Goal: June 1, 2022).

CUI Rulemaking (Administrative)

Publish Final Rule (Goal: August 2022)

This rulemaking consists of nomenclature changes proposed to existing regulations in 10 CFR Part 2, Agency Rules of Practice and Procedure, to avoid potential confusion once the SUNSI program is discontinued.

Reference:

SECY-21-0105: Final Rule: Controlled Unclassified Information CUI Written Agreements Establish CUI information-sharing agreements with non-Executive entities (Goal: August/September 2022)

Estimated NRC Transition from SUNSI to CUI (Goal: September 20, 2022) 4

NRC Sensitive Unclassified Non-Safeguards Information (SUNSI) Program

  • The NRCs current program to protect information that is generally not publicly available and encompasses a wide variety of categories (e.g., personnel privacy, attorney-client privilege, confidential source, etc.).
  • Any information where the loss, misuse, modification, or unauthorized access can reasonably be foreseen to harm the public interest, the commercial or financial interests of the entity or individual to whom the information pertains, the conduct of NRC and Federal programs, or the personal privacy of individuals.

5

What Is CUI?

CUI is information that is not classified, but that Federal law, regulation, or governmentwide policy either requires or permits an agency to handle using safeguarding and dissemination controls.

The CUI Program:

(1) Standardizes the way the Federal government handles information that is not classified or Restricted Data but requires protection.

(2) Replaces more than one hundred different agency policies and associated markings with one shared policy (i.e., CUI) and standardized markings for Federal executive branch agencies.

(3) Directly applies to executive branch agencies that designate or handle CUI, and indirectly applies through formal CUI written agreements or arrangements to non-executive branch recipients.

6

Key Differences Between SUNSI and CUI

  • As defined in 32 CFR 2002, Controlled Unclassified Information and the NARA CUI Registry, there are:
  • Specific marking and handling requirements for CUI
  • Specific requirements for Federal and non-Federal IT Systems
  • Controlled environment requirements
  • Destruction requirements
  • Decontrolling requirements
  • Challenge, waiver, incident response, and self-assessment requirements
  • Formal CUI information-sharing agreements are required, where feasible, when sharing CUI.

7

Public Access to NRC Information

  • The CUI program:
  • Addresses how executive branch agencies handle and share information for agency business purposes.
  • Does not affect public rights to information under the Freedom of Information Act or the Privacy Act.
  • Does not require agencies to change their policies on public release of information to the general public.

8

NRC CUI Public Meetings NRC -July 25, 2019 (ADAMS Number: ML19211B785)

-March 5, 2020 (ADAMS Number: ML20079H844)

External Outreach Office of Nuclear Reactor Regulation (NRR)

- NRC Regulatory Issues Task Force Public Meetings Office of Nuclear Material Safety and Safeguards (NMSS)

- Annual Conference of Radiation Control Program Directors (CRCPD) Meeting

- NRC Monthly Status Call with the Agreement States NRC CUI Public Website (https://www.nrc.gov/reading-rm/cui.html)

Nuclear Energy Institute (NEI) Virtual Regulatory Affairs Forum (September 16, 2020)

(NRC and NARA participated on the CUI Panel to provide a CUI update to the industry fleet) 9

Two Types of CUI CUI Basic

  • Information type for which laws, regulations, or governmentwide policies require or permit pr do not set out specific handling or dissemination controls.
  • Agencies protect CUI Basic per the uniform controls established in 32 CFR 2002, Controll Unclassified Information Program and the NARA CUI Registry. (https://www.archives.g CUI Specified
  • Information type for which laws, regulations, or governmentwide policies require or permit pr also include one or more specific handling standards for that information (e.g., unique markin physical safeguards, limits on who can access the information).
  • Agencies protect the information at the CUI Basic Level, except where laws, regulations, governmentwide policies specify something different.

Common NRC CUI CUI Basic Categories

  • Archaeological Resources CUI Specified Categories
  • Budget Categories*
  • Emergency Management
  • Critical Electric Infrastructure Information
  • General Law Enforcement
  • Criminal History Records
  • General Privacy (e.g., Personally Information Identifiable Information)
  • Export Controlled
  • General Proprietary Business
  • Historic Properties Information
  • International Agreement Information
  • Information Systems Vulnerability Information
  • Naval Nuclear Propulsion Information
  • Investigation
  • Nuclear Security-Related
  • Legal Privilege Information
  • Protected Critical
  • Operations Security Infrastructure Information
  • Physical Security Information
  • Safeguards Information
  • Whistleblower Identify
  • Source Selection (previously allegations)
  • Unclassified Controlled Nuclear Information - Energy
  • NARA CUI Registry:

https://www.archives.gov/cui/registry/category-list 11

General NRC CUI Banner Marking Requirements

  • The primary marking for all CUI is the CUI Banner Marking.
  • This is the main marking that appears at the top of each page of any document that contains CUI.
  • The banner marking is mandatory because it alerts the recipients to the fact that the document contains CUI.
  • NRC CUI Banner Marking Format
  • CUI//CATEGORY MARKING(S)//DISSEMINATION
  • Bold, capitalized black text, and centered.
  • Top Only
  • Category markings:
  • Listed in the CUI Registry:

https://www.archives.gov/cui/registry/category-marking-list

  • After the CUI// in the banner, any CUI Specified categories are listed first in alphabetical order, followed by any CUI Basic categories in alphabetical order.
  • A document may contain multiple CUI categories. 12

NRC Legacy Document Waiver Requirements Legacy Information is 32 CFR 2002.36: When the agency deems remarking legacy unclassified information that an documents to be excessively burdensome, the CUI Senior Agency agency marked as restricted from access or dissemination in Official may grant a legacy material marking waiver.

some way, or otherwise controlled, prior to the CUI NRC Management Directive 12.6:

Program.

The remarking of legacy materials is not required while the information remains under agency control.

The document must be appropriately marked as CUI, if its being disseminated outside the agency or if the information is being reused.

When re-using any legacy information that qualifies as CUI, the authorized holder must remove or redact legacy markings and designate or re-mark the information as CUI.

13

How Will CUI Impact Non-Executive Branch Entities?

CUI only includes information the Non-executive branch entities only government creates or possesses, or have to apply CUI controls to that an entity (e.g., contractor) information received from the Federal creates or possesses on behalf of the government pursuant to a written government. agreement or arrangement.

CUI does not supersede or replace Continue to comply with the marking other laws, regulations, or requirements specified in NRC governmentwide policies, which may regulations.

impose their own control

CUI Information-Sharing Agreements (32 CFR 2002.16(a)(5))

  • Agencies should enter into a formal information-sharing agreement, whenever feasible, when sharing CUI with a non-executive branch entity.
  • When an agency cannot enter into formal agreements, but the agencys mission requires it to disseminate CUI to non-executive entities, the Government strongly encourages non-executive entities to protect CUI in accordance with the CUI Rule.
  • CUI protections should also accompany the CUI if the non-executive entity disseminates it further.

15

NIST SP 800-171 Compliance

  • The CUI rule identifies National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171* as containing the security requirements for protecting CUI's confidentiality on non-Federal information systems.**
  • All agencies must prescribe, at a minimum, the requirements of NIST SP 800-171 when sharing electronic CUI with non-executive entities that are not operating an information system on behalf of the agency.
    • NIST CUI Information Security Requirements Workshop:

https://www.nist.gov/news-events/events/2018/10/controlled-unclassified-information-security-requirements-workshop 16

When Do Non-Executive Entities Need To Meet The Requirements In NIST SP 800-171?

  • During the March 5, 2020, NRC CUI Public Meeting, NARA discussed the following:
  • No established deadline.
  • Non-executive entities should have a system security plan (SSP) and plan of action milestones (POAM) in place by the time the agency transitions to CUI.
  • Agencies have flexibility to coordinate with non-executive entities to establish any deadlines.
  • NRCs goal is to:
  • Support an effective transition to CUI for non-executive entities.
  • Consider NRC stakeholder feedback to establish a reasonable deadline for non-executive branch entities to comply with NIST SP 800-171.

17

How Will The NRC Share CUI With Non-Executive Branch Entities?

  • The NRC considered the development of a CUI portal to minimize the burden on non-executive entities to comply with NIST SP 800-171.
  • An NRC CUI portal does not appear to be feasible:
  • Only alleviates the burden of complying with NIST SP 800-171 if other agencies that are sharing CUI are also using the same portal.
  • Does not eliminate the need for a large majority of entities to download CUI they receive from the NRC.
  • Is not ideal for entities that prefer to receive CUI in hard copy format.
  • The NRC is currently exploring an alternative to securely share CUI with non-executive entities.

18

Does The NRC Plan To Conduct Inspections To Verify Non-Executive Entity Compliance With NIST SP 800-171?

  • Non-executive entity self-certifies that they comply with NIST SP 800-171.

NRC

  • Non-executive entity develops and maintains required NIST SP 800-171 documentation Level 1 (system security plan (SSP) and plan of action milestones (POAM)).
  • Non-executive entity submits their SSP and POAM to the agency for review.
  • NARA has shared that requesting and reviewing system security plans (SSPs) is burdensome on an Level 2 agency and potentially puts CUI at more risk than necessary.
  • If agencies choose to inspect or audit non-executive entities, they must use NIST SP 800-171A.
  • Provides the NRC with the opportunity to selectively validate the non-executive entities policies Level 3 and procedures and to identify potential gaps in relation to NIST SP 800-171.

19

What Are The NRCs Plans To Establish Formal Information-Sharing Agreements?

NRC Goal

  • Partner with NARA and other Federal agencies to develop a draft multiagency CUI information-sharing agreement.

DRAFT NRC CUI Information-Sharing Agreement (Under development)

  • Intended for use with NRC stakeholders that receive CUI from multiple federal agencies.
  • Proposed Format
  • Body (high-level provisions applicable to all agencies)
  • Appendices (agency-specific) 20

What Is The Estimated NRC Schedule To Establish Information-Sharing Agreements?

General Task Status Identify NRC Stakeholders (Licensees, Agreement States, Applicants, Vendors, Owners Completed Groups, Contractors, etc.)

Awareness Communication and Gather Feedback In progress Develop General Information-Sharing Agreement In progress Share General Agreement with NRC External In progress Stakeholders Coordinate with NARA & Other Federal Agencies In Progress Coordinate with NRC Program Offices for Targeted Meetings/Discussions with Non- TBD Executive Entities Non-Executive Entities Sign Agreement Prior to the NRCs CUI Implementation Date of ~August/September 2022 September 20, 2022 (estimated). 21

  • Alternative approaches may need to be explored with specific groups of NRC external stakeholders.

How Should NRC Legacy Information Be Handled By Non-Executive Entities?

  • Non-executive branch entities:
  • Do not have legacy information unless specified in an information-sharing agreement.
  • Have information that was received prior to the agency transition to CUI.
  • Continue to protect information received prior to the agency transition to CUI.
  • Non-executive entities do not have to modify those protections unless specified in an information-sharing agreement.
  • Should not apply CUI markings on information that is not developed for the government or on behalf of the government.
  • Since there are incident security reporting requirements for CUI, its important for non-executive entities to distinguish between information that belongs (or does not belong) to the government.

22

NRC Path Forward 1 2 3 4 Maintain Establish formal Enter into partnerships Align with various NRC communications with information-sharing with other agencies in external stakeholders on NRC internal and external agreements between the the energy sector that a timeline to meet the stakeholders regarding NRC and its stakeholders. have a similar regulatory NIST SP 800-171 the NRCs plans to mission as the NRC. requirements and transition to CUI. implement any NRC alternatives to minimize burden on the recipient.

23

How Can You Obtain Additional Information?

  • NRC CUI Program Contact
  • Jon Feibus, Acting NRC CUI Senior Agency Official
  • Email: CUI@nrc.gov
  • Policy & Guidance
  • CUI Program Update To Stakeholders Meeting

CUI Reference/Background Information 25

Why is the CUI Program Necessary?

Executive departments and agencies apply their own ad-hoc policies and markings to unclassified information that requires safeguarding or dissemination controls, resulting in:

An inefficient patchwork system with Unclear or more than Inconsistent Impediments unnecessarily 100 different marking and to authorized restrictive policies and safeguarding information dissemination markings of documents sharing policies across the executive branch 26

Executive Order 13556

  • Established CUI Program
  • Required agencies to review and identify categories of unclassified information requiring safeguarding or dissemination controls by existing law, regulation, or governmentwide policy.
  • Promotes information sharing with federal partners (e.g.,

industry, academia, licensees, vendors, States).

  • Designated an Executive Agent (EA) to implement Executive Order 13556 and oversee department and agency actions to ensure compliance.
  • National Archives and Records Administration (NARA)
  • Information Security Oversight Office (ISOO) 27

CUI Rule

  • 32 CFR 2002 (September 14, 2016) [CUI Rule]
  • Implements the CUI Program
  • Establishes policy for designating, handling, and decontrolling information that qualifies as CUI
  • Effective: November 14, 2016 (Day 0)
  • Describes the minimum protections (derived from existing agency practices) for CUI
  • Physical and Electronic Environments
  • Marking
  • Sharing
  • Destruction
  • Decontrol 28

NARA CUI Registry CUI Registry = What we protect The CUI Registry, maintained and managed by the NARA, identifies all approved CUI categories, provides general descriptions for each category identifies the basis for controls, establishes markings, and includes guidance on handling procedures.

The registry contains

  • Categories
  • Limited Dissemination Controls
  • Marking Guidance
  • Training and Awareness

How Will Documents Be Marked When Sent From the NRC? (e.g., SGI)

  • More examples of how the NRC will mark CUI are expected to be included in the appendix of the CUI NDA.

Non-Executive Entity Marking NRC Applies CUI Marking Marking Required Per Authority CUI Banner SAFEGUARDS INFORMATION SAFEGUARDS INFORMATION CUI//SP-SGI An organization or individual applies the marking as All SGI (both internal to the required by law or regulation. NRC and external to the NRC) The NRC must leave the The NRC staff must leave the will continue to have the required marking per Part 73 required marking intact on specific markingsS required per intact and alsoSapply the the document and also apply an authority (i.e., 10 CFR appropriate CUI banner below the appropriate CUI banner 73.22(d) or 10 CFR 73.23(d)). the marking required per below the marking required authority in the header only.

per authority.

SAFEGUARDS INFORMATION SAFEGUARDS INFORMATION 30

How Will Documents Be Marked When Sent From the NRC? (e.g., Proprietary)

  • Agency markings are expected to be included in the appendix of the CUI NDA Non-Executive Entity Marking NRC Applies CUI Marking Marking Required Per Authority WITHHOLD UNDER 10 CFR 2.390 WITHHOLD UNDER 10 CFR 2.390 CUI Banner CUI//PROPIN An organization or individual All Proprietary information The NRC must leave the applies the marking as submitted to the NRC will required marking per Part 73 required by law or regulation.

continue to have the specific intact and also apply the The NRC staff must leave the markings required appropriate CUI banner below required marking intact on S per an S authority (i.e., 10 CFR 2.390). the marking required per the document and also apply authority in the header only.

the appropriate CUI banner below the marking required per authority.

WITHHOLD UNDER 10 CFR 2.390 WITHHOLD UNDER 10 CFR 2.390 31

How Will The NRC Apply Portion Markings To NRC-Created Documents? CUI//SP-SRI//PROPIN

  • This is an example of a NRC-

SUBJECT:

(U) Marking Instructions created document that contains multiple CUI (U) When portion marking is used and a paragraph does not categories. contain any CUI, (U) is used at the beginning of the paragraph.

(CUI//PROPIN) The portion mark contains CUI// followed by the

  • The NRCs CUI Policy CUI marking(s) and the limited dissemination markings. This recommends that staff paragraph contains General Proprietary Business Information separate CUI from the main (PROPIN), a CUI Basic category. The category marking order is the body of a document, into an same as is required in the banner.S Enclosure, where feasible.

(CUI//SP-SRI) More than one CUI category may exist within an NRC document. If so, the document must be marked to identify all

  • Portion marking is of the CUI categories that are included within the document. This encouraged. Only certain paragraph contains Nuclear Security-Related Information (SP-SRI),

CUI categories require a CUI Specified category.

portion marking at the NRC.

(U) The CUI banner must identify all of the CUI categories that are included in the document.

32

Retrieved from "https://kanterella.com/w/index.php?title=ML22116A043&oldid=3441035"