Text

MEMORANDUM TO:

David J. Nelson Chief Information Officer Office of the Chief Information Officer FROM:

Tanya M. Mensah CUI Program Manager Office of the Chief Information Officer

SUBJECT:

SUMMARY

OF THE JUNE 2, 2022, VIRTUAL PUBLIC MEETING TO DISCUSS THE STATUS OF THE U.S. NUCLEAR REGULATORY COMMISSIONS PLANS TO TRANSITION TO CONTROLLED UNCLASSIFIED INFORMATION On June 2, 2022, the U.S. Nuclear Regulatory Commission (NRC) held a virtual public meeting with a question-and-answer session to provide an update on the status of its plans to establish and transition to a controlled unclassified information (CUI) program. Specifically, the NRC discussed topics related to its plan to establish a CUI information-sharing agreement with stakeholders. Representatives from the Nuclear Energy Institute, NRC Agreement States, industry, and members of the public attended the meeting virtually. In addition, several representatives from the National Archives and Records Administration Information Security Oversight Office attended to observe the meeting and address questions on the CUI rule requirements and National Institute of Science and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, Revision 2, issued February 2020. The NRC has made all information related to this meeting and discussed in this summary available in the Agencywide Documents Access and Management System (ADAMS) at Accession No. ML22167A24. The virtual public meeting was recorded and is available on the NRCs CUI public website (https://www.nrc.gov/reading-rm/cui.html) under Related Information and on the NRCs YouTube channel at https://youtu.be/X59TF1WqfIs.

During the meeting, the NRC staff focused on the CUI rule requirements pertaining to information-sharing agreements, as described in Title 32 of the Code of Federal Regulations (32 CFR) Part 2002, Controlled Unclassified Information (CUI); shared a current timeline to implement a CUI program at the NRC; discussed a draft regulatory issue summary to inform stakeholders of the NRCs plans to establish CUI information-sharing agreements with them in (approximately) spring 2023; and covered topics such as NIST SP 800-171 requirements, third-party agreements, and any plans to share CUI in a view-only mode with non-Federal entities. The NRC staff presentation slides provide additional detail (ML22145A550).

CONTACT: Tanya M. Mensah, OCIO (301) 415-3610 June 17, 2022 Signed by Mensah, Tanya on 06/16/22

D. Nelson To facilitate discussion on written agreements during the meeting, the NRC staff mentioned the draft CUI information-sharing agreement currently under development (ML22145A552). The staff described how the draft CUI information-sharing agreement permits stakeholders to identify whether they do the following:

Comply with NIST SP 800-171.

Have their system security plan (SSP) and plan of action and milestones (POA&M), at a minimum, in place to work towards complying with NIST SP 800-171.

Prefer to use an alternative NRC method to access CUI (i.e., in view-only mode or as a hardcopy of the CUI sent in the mail).

The NRC staff also described how the CUI information-sharing agreement will be submitted to the Office of Management and Budget once finalized, in accordance with the Paperwork Reduction Act process, to seek a clearance number. An opportunity for public comment on the CUI information-sharing agreement will be available as part of the Paperwork Reduction Act process.

During the virtual public meeting, several stakeholders provided feedback and recommendations for NRC consideration, as follows:

Include a provision in the agreement regarding how stakeholders should handle NRC CUI documents when the licensee owns the information included in such documents.

Include more detail regarding the acceptable physical security protections needed to handle the different CUI categories listed in the appendix of the agreement.

Clarify whether stakeholders will be required to meet subsequent revisions of NIST SP 800-171 after the agreement is signed.

Several stakeholders also discussed their plans to develop a gap analysis to meet NIST SP 800-171 so that they can take possession of CUI (i.e., by download or print) they receive from the NRC onto their non-Federal information system. These entities identified a challenge with being able to complete their NIST SP 800-171 gap analysis before the NRC expects to transition to CUI on September 20, 2022. During the meeting, the NRC staff clarified that stakeholders do not need to submit their SSP and POA&M to the NRC in all instances, but the NRC could ask for these materials to be submitted upon request. Several stakeholders provided feedback and recommendations for NRC consideration on this topic, as follows:

In the draft CUI information-sharing agreement, clarify what conditions would necessitate the NRCs request for a stakeholder to submit its SSP and POA&M for NRC review.

Clarify the process that stakeholders should follow to coordinate with the NRC if they want to be able to download CUI starting on the NRCs expected transition date.

During the NRCs discussion of the view-only alternative, the staff shared one method that is currently under consideration. The NRC staff also described its plans to make final decisions later this summer regarding the tool to support a view-only alternative and to communicate

D. Nelson those plans to stakeholders. Several stakeholders provided feedback and recommendations for NRC consideration on this topic, as follows:

A view-only option would not be efficient for stakeholders and would impose an additional burden on them.

The NRC should continue to seek alternatives that permit stakeholders to at least print CUI without having to take possession of it in their non-Federal information system.

According to 10 CFR Part 37, Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material, licensees are required to retain background investigation records for a period of time. A view-only option would not help stakeholders that receive these records in an electronic format because they need to be able to take possession of CUI in their non-Federal information system to meet 10 CFR Part 37.

The staff made no regulatory decisions or commitments during the meeting.

At the meetings conclusion, the NRC staff informed participants of its plans to undertake the following activities:

Continue to coordinate with NRC staff and stakeholders as the NRC prepares to transition to CUI on September 20, 2022 (estimated timeline).

Continue to engage and seek feedback from NRC external stakeholders on a routine basis.

Continue to pursue alternatives (e.g., view-only) that will minimize the burden on NRC external stakeholders of complying with NIST SP 800-171.

Continue to coordinate with stakeholders that plan to meet NIST SP 800-171 so that they can take possession of CUI they receive from the NRC.

(Pkg) ML22167A024; (Memo) ML22159A218 *concur via email OFFICE QTE*

OCIO/GEMS OCIO/GEMS/D OCIO/DD NAME JDougherty TMensah JFeibus SFlanders DATE 06/13/22 06/17/22 06/16/22 06/ /22