June 2, 2022, NRC CUI Virtual Public Meeting Slides

ML22145A550
Person / Time
Issue date:	06/02/2022
From:	Scott Flanders, Tanya Mensah NRC/OCIO
To:
Mensah, Tanya; 301-415-3610
References
Download: ML22145A550 (23)
v • d • e

Text

U.S.NuclearRegulatoryCommission(NRC)

ControlledUnclassifiedInformation(CUI)

VirtualPublicMeeting June2,2022 ScottFlanders,DeputyChiefInformationOfficer TanyaMensah,CUIProgramManager OfficeoftheChiefInformationOfficer(OCIO)

USNuclearRegulatoryCommission(NRC)

Purpose ToholdafocuseddiscussionwithNRCstakeholders(i.e.,licensees,AgreementStates,etc.)

regardingtheNRCsplanstoestablishCUIinformationsharingagreementsandtodiscusspotential alternativeswhensharingCUIthatminimizeburdenonstakeholders.

KeyMessages NRCCUI Schedule CUI Information Sharing Agreement CUI Dissemination Q&ASession 2

Reminder:Pleasedonotputquestionsinthechat.

Youwillhavetheopportunitytoaskquestionsorcommentatadesignatedtimeinthemeeting.

TheNRCplanstotransitiontoCUIonSeptember20,2022.

AllNRCemployeesandcontractorscontinuetofollowthe existing agencypolicyforSensitiveUnclassifiedNonSafeguardsInformation (SUNSI), whichremainsineffectuntilCUIisimplemented.

CUIwill:

ReplacetheNRCscurrentSensitiveUnclassifiedNonSafeguards Information(SUNSI)Program.

IncludesSafeguardsInformation(SGI)andSGIModifiedHandling(SGIM)

[10CFRPart73requirementsremainthesame]

TheNRCisevaluatingpotentialalternatives(viewonlyand/ormail)to minimizetheburdenonNRCstakeholdersofcomplyingwithNationalInstitute ofStandardsandTechnology(NIST)SpecialPublication(SP)800171, ProtectingControlledUnclassifiedInformationinNonfederalSystemsand Organizations.

TheNRCiscommittedtominimizingtheimpactofthistransitionforNRC internalandexternalstakeholders,totheextentpracticable.

KeyMessages 3

iscoming

WhatIsCUI?

4 Afederallymandated informationsecurityreformthat standardizes thewaytheentire Federalgovernmenthandles informationthatisnotclassified orRestrictedDatabutrequires protection.

InformationqualifiesasCUI becausealaw,regulation,or governmentwidepolicyeither requiresorpermitsthat informationtobeprotected.

Replacesmorethanonehundred differentagencypoliciesand associatedmarkingswithone sharedpolicy(CUI)and standardizedmarkingsfor Federalexecutivebranch agencies.

KeyDifferencesBetweenSUNSIandCUI

• Asdefinedin32CFR2002,ControlledUnclassified InformationandtheNARACUIRegistry,thereare:

• SpecificmarkingandhandlingrequirementsforCUI

• SpecificrequirementsforFederalandnonFederalIT Systems

• Controlledenvironmentrequirements

• Destructionrequirements

• Decontrollingrequirements

• Challenge,waiver,incidentresponse,andself assessmentrequirements

• FormalCUIinformationsharingagreementsarerequired, wherefeasible,whensharingCUI.

5

KeyNRCCUIImplementationTasks&EstimatedMilestones 6

PublishedtheNRCshighlevelCUIPolicyStatementintheFederalRegister onNovember12,2021.

NRCCUIPolicyStatement PublishedMD12.6,NRCControlledUnclassifiedInformationProgramonDecember3,2021.

AvailableontheNRCsCUIPublicWebsite:https://www.nrc.gov/readingrm/cui.html NRCCUIImplementingPolicy&Guidance DeploymandatoryCUItrainingforNRCemployeesandcontractors(Goal:June2022).

NRCCUITraining PublishFinalRule(Goal:August2022)

Thisrulemakingconsistsofnomenclaturechangesproposedtoexistingregulationsin10CFRPart2,AgencyRules ofPracticeandProcedure,toavoidpotentialconfusiononcetheSUNSIprogramisdiscontinued.

Reference:

SECY210105:FinalRule:ControlledUnclassifiedInformation CUIRulemaking(Administrative)

EstablishCUIinformationsharingagreementswithnonExecutiveentities.

IssueanadministrativeCUIRegulatoryIssueSummarytoinformallNRCstakeholdersoftheNRCsplanstotransition toCUIbySeptember20,2022,andtoestablishCUIinformationsharingagreements.(Goal:August2022)

CUIWrittenAgreements EstimatedNRCTransitionfromSUNSItoCUI(Goal:September20,2022)

CUIInformationSharingAgreements (32CFR2002.16(a)(5))

• Agenciesshouldenterintoaformalinformation sharingagreement,wheneverfeasible,when sharingCUIwithanonexecutivebranchentity.

• Whenanagencycannotenterintoformal agreements,buttheagencysmissionrequiresit todisseminateCUItononexecutiveentities,the Governmentstronglyencouragesnonexecutive entitiestoprotectCUIinaccordancewiththe CUIRule.

• CUI protectionsshouldalsoaccompanytheCUI ifthenonexecutiveentitydisseminatesit further.

7

NISTSP800171

• TheCUIruleidentifiesNationalInstituteofStandardsandTechnology (NIST)SpecialPublication(SP)800171* ascontainingthesecurity requirementsforprotectingCUI'sconfidentialityonnonFederal informationsystems.**

• Ifthenonexecutivebranchentitysinformationsystemsprocess orstoreCUI,theCUIRulerequiresagenciestoprescribeNational InstituteofStandardsandTechnology(NIST)SpecialPublication (SP)800171,ProtectingControlledUnclassifiedInformationin NonfederalSystemsandOrganizations,whenestablishing securityrequirementsinwrittenagreementstoprotecttheCUIs confidentiality.

• NISTSP800171appliestononexecutivebranchentitiesthat intendtodownload,forward,andprintCUItheyreceivefroman agencyonanonFederalinformationsystem.

• https://csrc.nist.gov/publications/detail/sp/800171/rev2/final

• • NISTCUIInformationSecurityRequirementsWorkshop:

https://www.nist.gov/newsevents/events/2018/10/controlledunclassified informationsecurityrequirementsworkshop 8

CommonNRCCUI Categories*

CUIBasicCategories

• ArchaeologicalResources

• EmergencyManagement

• GeneralLawEnforcement

• GeneralPrivacy(e.g.,Personally IdentifiableInformation)

• GeneralProprietaryBusiness Information

• InformationSystems VulnerabilityInformation

• Investigation

• LegalPrivilege

• OperationsSecurity

• PhysicalSecurityInformation

• WhistleblowerIdentity (includesallegations)

CUISpecifiedCategories

• Budget

• CriticalElectricInfrastructure Information

• CriminalHistoryRecords Information

• ExportControlled

• HistoricProperties

• InternationalAgreement Information

• NavalNuclearPropulsion Information

• NuclearSecurityRelated Information

• ProtectedCriticalInfrastructure Information

• SafeguardsInformation

• SourceSelection

• UnclassifiedControlledNuclear Information Energy 9

• NARACUIRegistry:

https://www.archives.gov/cui/registry/categorylist

CommonExamplesof DocumentsThatMay ContainCUI

• Nonpublicinformationshared withlicensees,applicants, AgreementStates,nuclear suppliers,U.S.nationallabs, internationalagencies.

• Documentspertainingto proprietaryapplications

• LicenseAmendment Requests

• TopicalReports

• SomeReliefRequestsand LicenseRenewal

• Requestsforadditional information(RAIs)

• Draftguidancedocuments

• NRCgeneratedreports (Research/TechnicalReport)

• UnredactedUpdatedFinal SafetyAnalysisReports

• InspectionReports

• Investigationdocuments

• Licenseefinancialinformation (e.g.,RAIs,SafetyEvaluations)

• DecommissioningTrustfund documents

• Reactoroperatorexam records,questions,medicalor otherinternalrecords

• GenericCommunications (SecurityAdvisories, InformationAssessmentTeam Advisories,andsome RegulatoryIssueSummaries)

• SecurityRelatedInspection Procedures

• DocumentscontainingCUI sharedwith petitioners/intervenors, applicants,andlicenseesin thecourseofadjudicatory proceedings 10

NRCCUIInformationSharingAgreementStatus 11 DraftNRCCUIInformationSharingAgreement

• ForusewithNRCstakeholdersthatwillreceiveCUIfromtheNRC.

• InitialdraftwasharedduringtheMarch28,2022,NRCpublic meeting.

Format

• Body(containshighlevelCUIprovisions)

• Appendix(identifiesCUIcategoriesthattheagencymaysharewiththe recipient)

CurrentStatus

• IncludestheCUIcategoriestheNRCcouldpotentiallysharewithnon Executivebranchentities.

• IncludesaprovisionforNRCstakeholdersthatpreferaviewonlyor mailsolution.

• RequiresreviewandcoordinationthroughthePaperworkReduction Actprocess.

NRCCUIRegulatoryIssueSummary

• WhiletheNRCisworkingtowardestablishing theCUIinformationsharingagreement,an administrativeRISwillbeissuedtoinform stakeholdersof:

• NRCsplanstotransitiontoCUIon September20,2022.

• TheCUIrulerequirementforallagenciesto enterintoformalinformationsharing agreementswithnonExecutivebranch entities,wherefeasible.

• TheNRCsplanstoprovideaviewonlyor mailalternativetominimizetheburden ofNISTSP800171onNRCstakeholders.

12

CUIDisseminationExample(viewonly)

• NARAencouragesagenciestoprovideaccesstoCUIthroughagencyportals orothermeans,toalleviatetheburdenofNISTSP800171onnon Executivebranchentities.

• OCIOplanstofinalizeitstimelinetosupportthedevelopmentofvarious approacheslaterthissummer.

• ThefollowingslidesprovideanexampleofatechnologyunderNRC considerationtosupportaviewonlymodeandthechallengeassociated withthisapproach.

13

14

15

16

August2022 IssueaRIStodiscuss theNRCsplansto transitiontoCUIon September20,2022, andtoestablishCUI informationsharing agreementswithNRC stakeholders.

March2023 ObtainOMBapproval ofaclearancenumber fortheinformation sharingagreement.

(PaperworkReduction Act)

April2023 Providethe informationsharing agreementtoNRC stakeholders(i.e.,

licensees,Agreement States,etc.)fordigital signature.

May2023 Storesigned agreementsinanNRC repository(TBD)to supporttracking.

Ongoing Updateexisting agreementsand establishnew agreements,as needed.

EstimatedTimelineToEstablishCUIInformationSharingAgreements CUIRIS Agreement (OMBapproval)

SignAgreements Tracking Maintenance 17

Summary/Conclusion 18 Maintain communicationswith NRCstakeholders regardingtheNRCsplans totransitiontoCUIand followingthetransition toCUI.

1 Submittheinformation sharingagreementto OMBforaclearance number.Publiccomment isaffordedthroughthe PaperworkReduction Act.

2 Finalizedecisions regardingaviewonly alternativetominimize theburdenofNISTSP 800171onNRC stakeholders.

3 CoordinatewithNRC stakeholderswhoplanto meetNISTSP800171so thattheycandownload, print,andforwardCUI theyreceivefromthe NRContoanonFederal informationsystem.

4

HowCanYouObtainAdditionalInformation?

• NRCCUIProgramContact

• ScottFlanders,OCIODeputyChiefInformationOfficer

• JonFeibus,ActingNRCCUISeniorAgencyOfficial

• TanyaMensah,NRCCUIProgramManager

• Email:CUI@nrc.gov

• NARACUIWebsite(https://www.archives.gov/cui)

• CUIRegistry

• Policy&Guidance

• Training(NARACUIvideos)

• CUIBlog

• CUIProgramUpdateToStakeholdersMeeting

• NRCCUIPublicWebsite:https://www.nrc.gov/readingrm/cui.html

• CUIFAQsnowavailable 19

CUIReference/BackgroundInformation 20

ExecutiveOrder13556 DesignatedNationalArchivesandRecords Administration(NARA)astheCUIExecutiveAgent (EA)responsibleforimplementingExecutive Order13556andoverseeingdepartmentand agencyactionstoensurecompliance.

InformationSecurityOversightOffice(ISOO)isthe specificofficewithinNARAthatperformstheCUI ExecutiveAgentrole,whichincludestheCUI Program.

21

22 22 CUIRule

• 32CFR2002(September14,2016)[CUIrule]

• ImplementstheCUIProgram

• Establishespolicyfordesignating,handling, anddecontrollinginformationthatqualifies asCUI

• Effective:November14,2016(Day0)

• DescribestheminimumprotectionsforCUI

• PhysicalandElectronicEnvironments

• Marking

• Sharing

• Destruction

• Decontrol

NARACUIRegistry 23 The CUI Registry, maintained and managed by the NARA, identifies all approved CUI categories, provides general descriptions for each category identifies the basis for controls, establishes markings, and includes guidance on handling procedures.

The registry contains

• Categories

• Limited Dissemination Controls

• Marking Guidance

• CUI Notices

• Training and Awareness

• Annual CUI Status Reports to the President CUI Registry = What we protect https://www.archives.gov/cui/registry/categorylist