ML22145A552
ML22145A552 | |
Person / Time | |
---|---|
Issue date: | 05/25/2022 |
From: | Tanya Mensah Governance & Enterprise Management Services Division |
To: | |
Mensah, Tanya; 301-415-3610 | |
References | |
Download: ML22145A552 (10) | |
Text
NRC CUI InformationSharing Agreement
- 1. Purpose and Background. The purpose of this Agreement is to establish a framework between
[NonFederal Entity] and the U.S. Nuclear Regulatory Commission (NRC) (collectively referred to as the Parties), to enable the NRC to share Controlled Unclassified Information (CUI) consistent with Title 32 of the Code of Federal Regulations (32 CFR) § 2002.16(a)(5), which states that Federal agencies should enter into formal written agreements prior to sharing CUI with nonexecutive branch entities.
This Agreement sets forth safeguarding, access, and dissemination controls that apply to CUI the NRC shares with [NonFederal Entity]. [NonFederal Entity] accepts these controls, which are described herein, as a condition of being provided access to the CUI. Nothing in this Agreement establishes a right or entitlement to receive CUI from the NRC.
- 2. Definitions.
Controlled unclassified information (CUI). CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI does not include information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009 (3 CFR, 2010 Comp., p. 298), or any predecessor or successor order, or information that is classified under the Atomic Energy Act of 1954, as amended. CUI does not include information that a nonexecutive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. It includes information in either digital or hardcopy format.
CUI Basic and CUI Specified. All CUI shared pursuant to the terms of this Agreement will qualify as either CUI Basic or CUI Specified.
CUI Basic. CUI Basic is the subset of CUI for which the authorizing law, regulation, or Governmentwide policy does not set out specific handling or dissemination controls. This information is governed by the CUI Basic controls set forth in 32 CFR 2002.
CUI Specified. CUI Specified is the subset of CUI for which the authorizing law, regulation, or Governmentwide policy contains specific handling controls that it requires or permits agencies to use that differ from the default controls associated with CUI Basic.
CUI categories. CUI is divided into categories that reflect the types of information for which laws, regulations, or Governmentwide policies require or permit agencies to exercise safeguarding or dissemination controls, and which the CUI Executive Agent (Director of the Information Security Oversight Office at the National Archives and Records Administration) has approved and listed in the CUI Registry.
CUI Registry. The CUI Registry is the online repository for all executive branchlevel information, guidance, policy, and requirements on handling CUI, including 32 CFR Part 2002. Among other information, the CUI Registry identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures (see https://www.archives.gov/cui).
1
CUI security incident. Improper access, use, disclosure, modification, or destruction of CUI, in any form or medium, constitutes a CUI security incident.
Handling. Any use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, reusing, and disposing of the information, constitutes handling.
Lawful Government purpose. CUI may be shared with a person who has a lawful Government purpose to handle the information, which is any activity, mission, function, operation, or endeavor that the Government authorizes or recognizes as within the scope of its legal authorities or the legal authorities of nonexecutive branch entities, such as state and local law enforcement.
Limited dissemination control. These are any CUI Executive Agentapproved controls identified on the CUI Registry that agencies may use to limit or specify CUI dissemination.
- 3. Safeguarding, Access, and Dissemination Controls.
- a. The NRC will appropriately mark or identify all CUI shared pursuant to this Agreement and identify the information as either CUI Basic or CUI Specified prior to or at the time it is shared.
- b. CUI Basic. [NonFederal Entity] agrees to handle any CUI Basic received pursuant to this Agreement as follows:
- 1. Physical security and handling: Meet the physical security and storage, mailing, reproduction, and transmission requirements in 32 CFR § 2002.14. [NonFederal entity] may select appropriate methods to meet these requirements;
- 2. Information systems:
____ [NonFederal entity] certifies that its nonFederal information systems that may handle CUI are in full compliance with the standards described in the latest version of National Institute of Standards and Technology (NIST) Special Publication (SP) 800171, Protecting Controlled Unclassified Information in NonFederal Systems and Organizations, in effect at the time this Agreement is signed (available at https://csrc.nist.gov/publications/sp800). [NonFederal entity]
may take possession (e.g., download, forward, or print] of CUI using these information systems.
[NonFederal entity] agrees to protect the confidentiality of CUI on these information systems in accordance with the standards in NIST SP 800171, or any alternative or enhanced controls identified in the Appendix for a particular CUI category. Upon request, the NRC may ask to review [NonFederal entity]s system security plan (SSP) and Plan of Actions and Milestones (POAM), described in NIST SP 800171.
____ [NonFederal entity] certifies that it is in the process of ensuring that its nonFederal information systems that may handle CUI are compliant with NIST SP 800171, and that, at minimum, it has completed the SSP and POAM described in NIST SP 800171. [NonFederal entity] may take possession (e.g., download, forward, or print] of CUI using these information systems. [NonFederal entity] agrees to protect the confidentiality of CUI on its information systems in a manner consistent with these plans, and agrees to protect the confidentiality of CUI on its information systems in accordance with NIST SP 800171 (or any alternative or enhanced controls identified in the Appendix for a particular CUI category) upon achieving full compliance 2
with the NIST SP 800171 standards. Upon request, the NRC may ask to review [NonFederal entity]s SSP and POAM, described in NIST SP 800171.
____ [NonFederal entitys] information systems are not in compliance with NIST SP 800171, nor has [NonFederal entity] completed the SSP and POAM described in NIST SP 800171. [Non Federal entity] understands that the NRC may be unable or unwilling to electronically share CUI with [NonFederal entity], where the agency has discretion, unless or until [NonFederal entity],
at minimum, completes an SSP and POAM. The NRC may share CUI with [NonFederal entity] in hard copy, and [NonFederal entity] may not digitally convert such CUI for processing, storage, or transmission on any information system. Where feasible, the NRC may share CUI electronically through a viewonly platform. If the NRC shares CUI through a platform intended for viewonly access, [NonFederal entity] may view the CUI electronically through the viewonly platform but agrees not to take other actions that involve electronic processing, storage, or transmission of the CUI, such as downloading, forwarding, or printing the CUI using any information systems. [NonFederal entity] understands that all physical security and handling requirements described in this agreement apply to any hard copy CUI.
- c. CUI Specified. The NRC will identify any unique safeguarding, access, or dissemination controls for CUI Specified in the Appendix. [NonFederal Entity] will handle CUI Specified received pursuant to this Agreement consistent with the CUI Basic standards in section 3.a of this Agreement, except to the extent that the CUI Specified is subject to specific handling controls identified in the Appendix, in which case [NonFederal Entity] will apply those controls. The NRC will ensure that [NonFederal Entity] is aware of such specified handling controls prior to or at the time the CUI Specified is shared, either through the Appendix or on a casebycase basis.
- 4. Duplication or creation of derivative CUI. Any CUI received from the NRC pursuant to this Agreement that is duplicated by [NonFederal Entity], including but not limited to copying, printing, scanning, or any other means of physical or electronic duplication, must be handled pursuant to this Agreement in the same manner as the original CUI source information. [NonFederal Entity] must ensure that equipment used for such duplication, such as printers, copiers, scanners, or fax machines, do not retain the data or that such equipment is properly sanitized so as to ensure the information is not retrievable, in accordance with NIST SP 80053. [NonFederal Entity] may create derivative documents using CUI that is received pursuant to this Agreement, so long as such derivative documents are then marked and handled pursuant to this Agreement in the same manner as the original CUI source information.
- 5. Thirdparty sharing. Unless expressly stated otherwise, this Agreement does not prevent [Non Federal Entity] from sharing CUI received pursuant to this Agreement so long as such sharing is permitted by the law, regulation, or Governmentwide policy governing the CUI and the disclosure furthers a lawful Government purpose. Examples of such disclosure may include, but are not limited to, disclosure to law enforcement agencies or to a court of competent jurisdiction pursuant to a court order. [NonFederal Entity] is strongly encouraged to contact the NRC point of contact(s) identified in the designation indicator of the document/information prior to sharing any CUI received pursuant to this Agreement if [NonFederal Entity] is unsure whether this standard is met in a given situation.
- 6. Limited dissemination controls. The NRC may, at or prior to the time CUI is shared with [Non Federal Entity], place limited dissemination controls on CUI that expressly restrict sharing that CUI with 3
certain individuals or classes of individuals (e.g., prohibitions on sharing the CUI with foreign governments or foreign nationals, or requirements to share the information only with people or entities on an included distribution list). The NRC will clearly mark and convey such limitations at the time the CUI is shared. The NRC will only utilize such limited dissemination controls when there is a lawful Government purpose for doing so.
- 7. Point of Contact. The NRC point of contact for the agencys CUI program is included in the Appendix.
[NonFederal Entity] must utilize the point of contact identified in the Appendix for all questions concerning the scope, applicability, or interpretation of this Agreement, as well as for reporting any CUI security incidents referenced in Section 8.
- 8. CUI security incidents and misuse.
- a. When [NonFederal Entity] discovers a suspected or confirmed CUI security incident (i.e., information spill or security breach) or misuse of CUI, it must promptly notify the appropriate NRC point of contact identified in the Appendix. This notification must include, to the extent it is known at the time, all relevant circumstances surrounding the incident, including identification of the CUI involved and the extent to which the [NonFederal Entity] knows or suspects the CUI has been disseminated to or accessed by unauthorized individuals. [NonFederal Entity] should promptly supplement this initial notification with additional information as it becomes available. The NRC may also request [Non Federal Entity] to supplement this notification with additional relevant information, when necessary.
Misuse of CUI may serve as a basis for terminating this Agreement or a basis for the NRC to discontinue voluntarily sharing CUI with [NonFederal Entity].
- b. [NonFederal Entity] reporting obligations under this Agreement are in addition to any other applicable requirements in law, regulation, or policy. This Agreement does not relieve or supersede any such requirements.
- 9. Assignment. CUI that is shared with [NonFederal Entity] remains the property of the United States Government and the United States Government retains all rights to any royalties, remunerations, or emoluments that resulted, will result, or may result from any disclosure, publication, or revelation of CUI covered under this Agreement.
- 10. Enforcement. [NonFederal Entity] understands that mishandling CUI in contravention of the terms and conditions of this Agreement may subject [NonFederal Entity] to any applicable administrative, civil, or criminal penalties, as appropriate, under the laws or regulations of the United States applicable to the CUI category involved (see 32 CFR § 2002.16(a)(6)(ii)). The United States Government has not waived any statutory or common law privileges or protections that it may assert in any administrative or court proceeding to protect CUI that is shared pursuant to the terms of this Agreement. The United States Government retains the right to seek any remedy available, including but not limited to application for a court order prohibiting the disclosure of CUI.
- 11. Modification of Agreement. This Agreement can be amended with the written consent of both Parties.
- 12. Duration. This Agreement is effective as of the date the last party signs and will remain in effect until termination. Either party may terminate this Agreement by providing notice in writing [x] days prior to the effective date of termination. Upon termination, the NRC will instruct [NonFederal Entity]
4
to either return all CUI received pursuant to this Agreement (including any duplicates or derivative works based on CUI received pursuant to this Agreement), destroy such CUI in a manner consistent with 32 CFR § 2002.14(f), or take other appropriate action.
- 13. Severability. The provisions of this Agreement are deemed to be severable and the invalidity, illegality, or unenforceability of one or more provisions shall not affect the validity, legality, or enforceability of the remaining provisions.
- 14. Acknowledgment. The Parties to this Agreement represent and warrant that they have the authority to bind their respective organizations to its terms and conditions. All Parties have read this Agreement carefully and agree that they understand its terms and conditions.
[INSERT SIGNATURE BLOCK FOR ALL SIGNATORIES]
5
APPENDIX US Nuclear Regulatory Commission (NRC)
- 1. Point of Contact. For all questions or concerns that arise under this Agreement, including the breach notification requirements of Section 8 of the Agreement, contact the NRC CUI Program at CUI@NRC.GOV. For any breach related to cybersecurity incidents, also notify CSIRT@nrc.gov.
- 2. CUI Basic. NRC may share the following categories of CUI Basic with [NonFederal Entity] pursuant to this Agreement. Unless otherwise stated, access to CUI Basic is restricted to authorized individuals that have a lawful Government purpose to access the information to perform their work. Any additional specific handling, safeguarding, or dissemination requirements stipulated in the underlying laws, regulations, or Governmentwide polices, are identified within each CUI category described below.
- a. Archaeological Resources CUI Banner Marking when received from NRC: CUI//ARCHR o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Archaeological Resources Information part is not included, where possible.
The safeguarding and/or dissemination authority(ies) for Archaeological Resources information is provided in the NARA CUI Registry:
https://www.archives.gov/cui/registry/categorydetail/archaeologicalresources Additional Requirements (per law, regulation, Governmentwide policy):
o Dissemination:
This information cannot be shared with any third parties or foreign entity absent the express consent of the NRC.
- b. General Privacy CUI Banner Marking when received from NRC: CUI//PRVCY o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the General Privacy Information part is not included, where possible.
The safeguarding and/or dissemination authority(ies) for General Privacy information is provided in the NARA CUI Registry:
https://www.archives.gov/cui/registry/categorydetail/privacy.html 1
- c. General Proprietary Business Information CUI Banner Marking when received from NRC: CUI//PROPIN o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the General Proprietary Business Information part is not included, where possible.
The safeguarding and/or dissemination authority(ies) for General Proprietary Business information is provided in the NARA CUI Registry:
https://www.archives.gov/cui/registry/categorydetail/proprietarybusiness info.html
- d. Operations Security Information CUI Banner Marking when received from NRC: CUI//OPSEC o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Operations Security Information part is not included, where possible.
The safeguarding and/or dissemination authority(ies) for Operations Security Information is provided in the NARA CUI Registry:
https://www.archives.gov/cui/registry/categorydetail/operationssecurityinfo
pursuant to this Agreement. Unless otherwise stated, access to CUI Specified is restricted to authorized individuals that have a lawful Government purpose to access the information to perform their work.
Any additional specific handling, safeguarding, or dissemination requirements stipulated in the underlying laws, regulations, or Governmentwide polices, are identified within each CUI category described below.
- a. Criminal History Records Information CUI Banner Marking when received from NRC: CUI//SPCHRI o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Critical Energy Infrastructure Information part is not included, where possible The safeguarding and/or dissemination authority(ies) for Criminal History Records Information is provided in the NARA CUI Registry:
https://www.archives.gov/cui/registry/categorydetail/criminalhistoryrecords info 2
- b. Critical Energy Infrastructure Information CUI Banner Marking when received from NRC: CUI//SPCEII o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Critical Energy Infrastructure Information part is not included, where possible.
The safeguarding and/or dissemination authority(ies) for Critical Energy Infrastructure Information is provided in the NARA CUI Registry:
https://www.archives.gov/cui/registry/categorydetail/criticalenergy infrastructureinformation Export Controlled Information CUI Banner Marking when received from NRC: CUI//SPEXPT o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Export Controlled Information part is not included, where possible.
The safeguarding and/or dissemination authority(ies) for Export Controlled Information is provided in the NARA CUI Registry:
https://www.archives.gov/cui/registry/categorydetail/exportcontrol.html Additional Requirements (per law, regulation, Governmentwide policy):
o Designation: Export Controlled Information may only be designated by those with the statutory or regulatory authority: Department of Commerce, Department of Energy, and Department of State.
o Access: Access to Export Controlled Information is restricted by the following:
The information must not be available to foreign nationals unless access has been specifically authorized for those individuals by an agency with the authority to grant access.
IT systems that contain Export Controlled Information must not have foreign nationals as system administrators.
Except for the above situation, access must be restricted to U.S.
citizens that have authorization to access the information and a lawful Government purpose to access the information to perform heir NRC work.
o Dissemination: Export Controlled Information may only be shared with a foreign entity specifically authorized access to the information by a U.S. Federal organization authorized to grant that access.
3
- c. Historic Properties CUI Banner Marking when received from NRC: CUI//SPHISTP o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Historic Properties part is not included, where possible.
The safeguarding and/or dissemination authority(ies) for Historic Properties Information is provided in the NARA CUI Registry:
https://www.archives.gov/cui/registry/categorydetail/historicproperties Additional Requirements (per law, regulation, Governmentwide policy):
o Access: If this information has been designated by the head of a Federal agency or other public official after consultation with the Secretary of interior to withhold from public disclosure, the information must be protected from public disclosure.
- d. Nuclear SecurityRelated Information CUI Banner Marking when received from NRC: CUI//SPSRI o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Nuclear SecurityRelated Information part is not included, where possible.
The safeguarding and/or dissemination authority(ies) for Nuclear SecurityRelated Information is provided in the NARA CUI Registry:
https://www.archives.gov/cui/registry/categorydetail/nuclearsecurityrelated info.html The authorities for Nuclear SecurityRelated Information are:
o NRC Regulatory Issue Summary (RIS) 200526, Control of Sensitive Unclassified NonSafeguards Information Related to Nuclear Power Reactors, November 7, 2005.
o NRC RIS 200531, Revision 1, Control of SecurityRelated Sensitive Unclassified NonSafeguards Information Handled by Individuals, Firms, and Entities Subject to NRC Regulation of the Use of Source, Byproduct, and Special Nuclear Material, December 26, 2017.
Notwithstanding anything else in this Agreement [NonFederal Entity] will handle and control Nuclear SecurityRelated Information received from the NRC consistent with the controls in either RIS shown above.
4
- e. Protected Critical Infrastructure Information CUI Banner Marking when received from NRC: CUI//SPPCII o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Protected Critical Infrastructure Information part is not included, where possible.
The safeguarding and/or dissemination authority(ies) for Protected Critical Infrastructure Information is provided in the NARA CUI Registry:
https://www.archives.gov/cui/registry/categorydetail/protectedcritical infrastructureinformation Additional Requirements (per law, regulation, Governmentwide policy):
o Dissemination:
This information cannot be shared with any third parties or foreign entity absent the express consent of the NRC.
- f. Safeguards Information and Safeguards InformationModified Handling CUI Banner Marking when received from NRC: CUI//SPSGI The authority for Safeguards Information is 10 CFR Part 73, Physical Protection of Plants and Materials. Notwithstanding anything else in this Agreement
[NonFederal Entity] will handle and control Safeguards Information received from the NRC pursuant to the terms of this Agreement consistent with the controls in 10 CFR Part 73, as required by law.
All Safeguards Information (both internal and external to the NRC) will continue to have the specific markings required by 10 CFR 73.22(d), Protection of Safeguards Information: Specific Requirements or 10 CFR 73.23(d), Protection of Safeguards InformationModified Handling: Specific Requirements.
Safeguards Information that is generated or possessed by the NRC will also have the CUI//SPSGI banner marking located beneath the required marking, in addition to (not in lieu of) the required markings in Part 73.
The safeguarding and/or dissemination authority(ies) for Safeguards Information is provided in the NARA CUI Registry:
https://www.archives.gov/cui/registry/categorydetail/safeguardsinfo 5