ML22116A044

From kanterella
Jump to navigation Jump to search
Draft NRC CUI Information-Sharing Agreement
ML22116A044
Person / Time
Issue date: 03/28/2022
From:
NRC/OCIO
To:
Shared Package
ML22095A160 List:
References
Download: ML22116A044 (1)
v  d  e


Text

March 22, 2022 (NRC CUI Virtual Public Meeting Handout)

DRAFT NRC CUI Information-Sharing Agreement

1. Purpose and Background. The purpose of this Agreement is to establish a framework between

[Non-Federal Entity] and the U.S. Nuclear Regulatory Commission (NRC) (collectively referred to as the Parties), to enable the NRC to share Controlled Unclassified Information (CUI) consistent with Title 32 of the Code of Federal Regulations (32 CFR) § 2002.16(a)(5), which states that Federal agencies should enter into formal written agreements prior to sharing CUI with non-executive branch entities.

This Agreement sets forth safeguarding, access, and dissemination controls that apply to CUI the NRC shares with [Non-Federal Entity]. [Non-Federal Entity] accepts these controls, which are described herein, as a condition of being provided access to the CUI. Nothing in this Agreement establishes a right or entitlement to receive CUI from the NRC.

2. Definitions.

Controlled unclassified information (CUI). CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI does not include information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009 (3 CFR, 2010 Comp., p. 298), or any predecessor or successor order, or information that is classified under the Atomic Energy Act of 1954, as amended. CUI does not include information that a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. It includes information in either digital or hard-copy format.

CUI Basic and CUI Specified. All CUI shared pursuant to the terms of this Agreement will qualify as either CUI Basic or CUI Specified.

CUI Basic. CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. This information is governed by the CUI Basic controls set forth in 32 CFR 2002.

CUI Specified. CUI Specified is the subset of CUI for which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from the default controls associated with CUI Basic.

CUI categories. CUI is divided into categories that reflect the types of information for which laws, regulations, or Government-wide policies require or permit agencies to exercise safeguarding or dissemination controls, and which the CUI Executive Agent (Director of the Information Security Oversight Office at the National Archives and Records Administration) has approved and listed in the CUI Registry.

CUI Registry. The CUI Registry is the online repository for all executive branch-level information, guidance, policy, and requirements on handling CUI, including 32 CFR Part 2002. Among other information, the CUI Registry identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures (see https://www.archives.gov/cui).

1

March 22, 2022 (NRC CUI Virtual Public Meeting Handout)

CUI security incident. Improper access, use, disclosure, modification, or destruction of CUI, in any form or medium, constitutes a CUI security incident.

Handling. Any use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, reusing, and disposing of the information, constitutes handling.

Lawful Government purpose. CUI may be shared with a person who has a lawful Government purpose to handle the information, which is any activity, mission, function, operation, or endeavor that the Government authorizes or recognizes as within the scope of its legal authorities or the legal authorities of non-executive branch entities, such as state and local law enforcement.

Limited dissemination control. These are any CUI Executive Agent-approved controls identified on the CUI Registry that agencies may use to limit or specify CUI dissemination.

3. Safeguarding, Access, and Dissemination Controls.
a. The NRC will appropriately mark or identify all CUI shared pursuant to this Agreement and identify the information as either CUI Basic or CUI Specified prior to or at the time it is shared.
b. CUI Basic. [Non-Federal Entity] agrees to handle any CUI Basic received pursuant to this Agreement as follows:
1. Physical security and handling: Meet the physical security and storage, mailing, reproduction, and transmission requirements in 32 CFR § 2002.14. [Non-Federal entity] may select appropriate methods to meet these requirements;
2. Information systems: Protect the confidentiality of CUI Basic on its information systems consistent with the latest version of National Institute of Standards and Technology (NIST)

Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations in effect at the time this Agreement is signed (available at https://dx.doi.org/10.6028/NIST.SP.800-171), and comply with any requirements from NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information, that are identified in the Appendix for a particular CUI category;

3. Additional security requirements: Implement any additional information security requirements [Non-Federal Entity] reasonably determines necessary to provide adequate security in a dynamic environment; and
4. Unless stated otherwise in the Appendix for a particular CUI category, [Non-Federal Entity]

may destroy CUI Basic that it receives pursuant to this Agreement, but must do so in a manner consistent with 32 CFR § 2002.14(f)(2).

c. CUI Specified. The NRC will identify any unique safeguarding, access, or dissemination controls for CUI Specified in the Appendix. [Non-Federal Entity] will handle CUI Specified received pursuant to this Agreement consistent with the CUI Basic standards in section 3.a of this Agreement, except to the extent that the CUI Specified is subject to specific handling controls identified in the Appendix, in which case [Non-Federal Entity] will apply those controls. The NRC will ensure that [Non-Federal Entity] is aware of such specified handling controls prior to or at the time the CUI Specified is shared, either through the Appendix or on a case-by-case basis.

2

March 22, 2022 (NRC CUI Virtual Public Meeting Handout)

4. Duplication or creation of derivative CUI. Any CUI received from the NRC pursuant to this Agreement that is duplicated by [Non-Federal Entity], including but not limited to copying, printing, scanning, or any other means of physical or electronic duplication, must be handled pursuant to this Agreement in the same manner as the original CUI source information. [Non-Federal Entity] must ensure that equipment used for such duplication, such as printers, copiers, scanners, or fax machines, do not retain the data or that such equipment is properly sanitized so as to ensure the information is not retrievable, in accordance with NIST SP 800-53. [Non-Federal Entity] may create derivative documents using CUI that is received pursuant to this Agreement, so long as such derivative documents are then marked and handled pursuant to this Agreement in the same manner as the original CUI source information.
5. Third-party sharing. Unless expressly stated otherwise, this Agreement does not prevent [Non-Federal Entity] from sharing CUI received pursuant to this Agreement so long as such sharing is permitted by the law, regulation, or Government-wide policy governing the CUI and the disclosure furthers a lawful Government purpose. Examples of such disclosure may include, but are not limited to, disclosure to law enforcement agencies or to a court of competent jurisdiction pursuant to a court order. [Non-Federal Entity] is strongly encouraged to contact the NRC point of contact(s) identified in the designation indicator of the document/information prior to sharing any CUI received pursuant to this Agreement if [Non-Federal Entity] is unsure whether this standard is met in a given situation.
6. Limited dissemination controls. The NRC may, at or prior to the time CUI is shared with

[Non-Federal Entity], place limited dissemination controls on CUI that expressly restrict sharing that CUI with certain individuals or classes of individuals (e.g., prohibitions on sharing the CUI with foreign governments or foreign nationals, or requirements to share the information only with people or entities on an included distribution list). The NRC will clearly mark and convey such limitations at the time the CUI is shared. The NRC will only utilize such limited dissemination controls when there is a lawful Government purpose for doing so.

7. Point of Contact. The NRC point of contact for the agencys CUI program is included in the Appendix.

[Non-Federal Entity] must utilize the point of contact identified in the Appendix for all questions concerning the scope, applicability, or interpretation of this Agreement, as well as for reporting any CUI security incidents referenced in Section 8.

8. CUI security incidents and misuse.
a. When [Non-Federal Entity] discovers a suspected or confirmed CUI security incident or misuse of CUI, it must promptly notify the appropriate NRC point of contact identified in the Appendix. This notification must include, to the extent it is known at the time, all relevant circumstances surrounding the breach, including identification of the CUI involved and the extent to which the [Non-Federal Entity]

knows or suspects the CUI has been disseminated to or accessed by unauthorized individuals. [Non-Federal Entity] should promptly supplement this initial notification with additional information as it becomes available. The NRC may also request [Non-Federal Entity] to supplement this notification with additional relevant information, when necessary. Misuse of CUI may serve as a basis for terminating this Agreement or a basis for the NRC to discontinue voluntarily sharing CUI with [Non-Federal Entity].

3

March 22, 2022 (NRC CUI Virtual Public Meeting Handout)

b. [Non-Federal Entity] reporting obligations under this Agreement are in addition to any other applicable requirements in law, regulation, or policy. This Agreement does not relieve or supersede any such requirements.
9. Assignment. CUI that is shared with [Non-Federal Entity] remains the property of the United States Government and the United States Government retains all rights to any royalties, remunerations, or emoluments that resulted, will result, or may result from any disclosure, publication, or revelation of CUI covered under this Agreement.
10. Enforcement. [Non-Federal Entity] understands that mishandling CUI in contravention of the terms and conditions of this Agreement may subject [Non-Federal Entity] to any applicable administrative, civil, or criminal penalties, as appropriate, under the laws or regulations of the United States applicable to the CUI category involved (see 32 CFR § 2002.16(a)(6)(ii)). The United States Government has not waived any statutory or common law privileges or protections that it may assert in any administrative or court proceeding to protect CUI that is shared pursuant to the terms of this Agreement. The United States Government retains the right to seek any remedy available, including but not limited to application for a court order prohibiting the disclosure of CUI.
11. Modification of Agreement. This Agreement can be amended with the written consent of both Parties.
12. Duration. This Agreement is effective as of the date the last party signs and will remain in effect until termination. Either party may terminate this Agreement by providing notice in writing [x] days prior to the effective date of termination. Upon termination, the NRC will instruct [Non-Federal Entity]

to either return all CUI received pursuant to this Agreement (including any duplicates or derivative works based on CUI received pursuant to this Agreement), destroy such CUI in a manner consistent with 32 CFR § 2002.14(f), or take other appropriate action.

13. Severability. The provisions of this Agreement are deemed to be severable and the invalidity, illegality, or unenforceability of one or more provisions shall not affect the validity, legality, or enforceability of the remaining provisions.
14. Acknowledgment. The Parties to this Agreement represent and warrant that they have the authority to bind their respective organizations to its terms and conditions. All Parties have read this Agreement carefully and agree that they understand its terms and conditions.

[INSERT SIGNATURE BLOCK FOR ALL SIGNATORIES]

4

March 22, 2022 (NRC CUI Virtual Public Meeting Handout)

APPENDIX Commented [MT1]: Note: Any agency entering into this agreement would have a separate appendix that is

1. Point of Contact. For all questions or concerns that arise under this Agreement, including the breach formatted in a similar manner.

notification requirements of Section 8 of the Agreement, contact the NRC CUI Program at CUI@NRC.GOV.

2. CUI Basic. NRC may share the following categories of CUI Basic with [Non-Federal Entity] pursuant to this Agreement. Unless otherwise stated, access to CUI Basic is restricted to authorized individuals that have a lawful Government purpose to access the information to perform their work.
a. Archaeological Resources
  • Marking when received from NRC: CUI//ARCHR
  • The safeguarding and/or dissemination authority(ies) for Archaeological Resources information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/archaeological-resources

  • Dissemination: This information cannot be shared with any third parties absent the express consent of the NRC.
b. General Law Enforcement
  • Marking when received from NRC: CUI//LEI
  • The safeguarding and/or dissemination authority(ies) for General Law Enforcement information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/general-law-enforcement

c. General Privacy
  • Marking when received from NRC: CUI//PRVCY
  • The safeguarding and/or dissemination authority(ies) for General Privacy information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/privacy.html

d. General Proprietary Business Information
  • Marking when received from NRC: CUI//PROPIN
  • The safeguarding and/or dissemination authority(ies) for General Proprietary Business information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/proprietary-business-info.html

e. Information Systems Vulnerability Information
  • Marking when received from NRC: CUI//ISVI
  • The safeguarding and/or dissemination authority(ies) for Information Systems Vulnerability Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/info-systems-vulnerability-info.html 1

March 22, 2022 (NRC CUI Virtual Public Meeting Handout)

3. CUI Specified. NRC may share the following categories of CUI Specified with [Non-Federal entity] Commented [MT2]: Note: This portion of the Appendix is pursuant to this Agreement. Unless otherwise stated, access to CUI Specified is restricted to authorized still under development to set out the Specified controls for each of the following categories; this will identify to non-individuals that have a lawful Government purpose to access the information to perform their work. executive entities the requirements that differ from CUI Basic handling requirements.
a. Critical Energy Infrastructure Information
  • Marking when received from NRC: CUI//SP-CEII
  • The safeguarding and/or dissemination authority(ies) for Critical Energy Infrastructure Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/critical-energy-infrastructure-information

b. Export Controlled Information
  • Marking when received from NRC: CUI//SP-EXPT
  • The safeguarding and/or dissemination authority(ies) for Export Controlled Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/export-control.html

  • Access: Access to Export Controlled Information is restricted by the following:
  • The information must not be available to foreign nationals unless access has been specifically authorized for those individuals by an agency with the authority to grant access.
  • IT systems that contain Export Controlled Information must not have foreign nationals as system administrators.
  • Except for the above situation, access must be restricted to U.S. citizens that have authorization to access the information and a lawful Government purpose to access the information to perform their NRC work.
  • Dissemination: Export Controlled Information may only be shared with a foreign entity specifically authorized access to the information by a U.S.

Federal organization authorized to grant that access.

c. Historic Properties
  • Marking when received from NRC: CUI//SP-HISTP
  • The safeguarding and/or dissemination authority(ies) for Historic Properties Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/historic-properties

d. Nuclear Security-Related Information
  • Marking when received from NRC: CUI//SP-SRI
  • The safeguarding and/or dissemination authority(ies) for Nuclear Security-Related Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/nuclear-security-related-info.html 2

March 22, 2022 (NRC CUI Virtual Public Meeting Handout)

e. Operations Security Information
  • Marking when received from NRC: CUI//OPSEC
  • The safeguarding and/or dissemination authority(ies) for Operations Security Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/operations-security-info

f. Protected Critical Infrastructure Information
  • Marking when received from NRC: CUI//SP-PCII
  • The safeguarding and/or dissemination authority(ies) for Protected Critical Infrastructure Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/protected-critical-infrastructure-information

g. Safeguards Information
  • Marking when received from NRC: CUI//SP-SGI
  • The safeguarding and/or dissemination authority(ies) for Safeguards Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/safeguards-info The authority for Safeguards Information is 10 CFR Part 73, Physical Protection of Plants and Materials. Notwithstanding anything else in this Agreement

[Non-Federal Entity] will handle and control Safeguards Information received from the NRC pursuant to the terms of this Agreement consistent with the controls in 10 CFR Part 73, as required by law.

h. Unclassified Controlled Nuclear Information - Energy
  • Marking when received from NRC: CUI//SP-UCNI
  • The safeguarding and/or dissemination authority(ies) for Unclassified Controlled Nuclear Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/ucni-doe 3

Retrieved from "https://kanterella.com/w/index.php?title=ML22116A044&oldid=3441034"