ML22249A154

From kanterella
Jump to navigation Jump to search
NRC CUI Information-Sharing Agreement
ML22249A154
Person / Time
Issue date: 01/24/2023
From:
NRC/OCIO
To:
Tanya Mensah
References
Download: ML22249A154 (10)
v  d  e


Text

1 APPROVED BY 0MB: NO. 3150-XXXX EXPIRATION DATE: XX/XX/202X Estimated burden per response to comply with this voluntary information collection: X hour(s). The information is requested to enable the NRC to comply with the requirements of 32 CFR 2002.16(a)(5) for sharing CUI.

Send comments regarding burden estimate to the FOIA, Library, and Information Collections Branch (T-6 A10M), U. S.

Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to Infocollects.Resource@nrc.gov, and the OMB reviewer at: OMB Office of Information and Regulatory Affairs, (3150-XXXX), Attn: Desk Officer for the Nuclear Regulatory Commission, 725 17th Street NW, Washington, DC 20503; e-mail: oira_submission@omb.eop.gov. The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the document requesting or requiring the collection displays a currently valid OMB control number CUI Information-Sharing Agreement

1. Purpose and Background. The purpose of this Agreement is to establish a framework between

[Non--Federal Entity] and the U.S. Nuclear Regulatory Commission (NRC) (collectively referred to as the Parties), to enable the NRC to share Controlled Unclassified Information (CUI) consistent with Title 32 of the Code of Federal Regulations (32 CFR) § 2002.16(a)(5), which states that Federal agencies should enter into formal written agreements prior to sharing CUI with non-executive branch entities.

This Agreement sets forth safeguarding, access, and dissemination controls that apply to CUI the NRC shares with [Non-Federal Entity]. [Non-Federal Entity] accepts these controls, which are described herein, as a condition of being provided access to the CUI. Nothing in this Agreement establishes a right or entitlement to receive CUI from the NRC.

2. Applicability This agreement does not apply to the transmission by the NRC of [Non-Federal Entity's] own information back to [Non-Federal Entity], irrespective of whether (a) the NRC is required to treat the [Non-Federal Entity's] information as CUI while in the NRC's possession; (b) the NRC has incorporated the [Non-Federal Entity's] own information into a new document that the NRC is sharing with [Non-Federal Entity]; or (c) the information as transmitted to [Non-Federal Entity] is marked as CUI.

This agreement does, however, apply to the sharing of CUI by the NRC that is not [Non-Federal Entity's]

own information, even if that CUI is included in a document that also includes the [Non-Federal Entity's]

own information. For purposes of this section, [Non-Federal Entity's] own information includes information that was originally provided to the NRC or to another federal agency by [Non-Federal Entity].

Even though this agreement does not apply to the transmission by the NRC of [Non-Federal Entitys]

own information back to [Non-Federal Entity], there may be other legal requirements applicable to

[Non-Federal Entitys] possession or handling of the information, and this agreement is not intended to alter or supersede any such requirements.

3. Definitions.

Controlled unclassified information (CUI). CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI does not include information that is classified under Executive Order 13526, Classified

2 National Security Information, December 29, 2009 (3 CFR, 2010 Comp., p. 298), or any predecessor or successor order, or information that is classified under the Atomic Energy Act of 1954, as amended. CUI does not include information that a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. It includes information in either digital or hard-copy format.

CUI Basic and CUI Specified. All CUI shared pursuant to the terms of this Agreement will qualify as either CUI Basic or CUI Specified.

CUI Basic. CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. This information is governed by the CUI Basic controls set forth in 32 CFR 2002.

CUI Specified. CUI Specified is the subset of CUI for which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from the default controls associated with CUI Basic.

CUI categories. CUI is divided into categories that reflect the types of information for which laws, regulations, or Government-wide policies require or permit agencies to exercise safeguarding or dissemination controls, and which the CUI Executive Agent (Director of the Information Security Oversight Office at the National Archives and Records Administration) has approved and listed in the CUI Registry.

CUI Registry. The CUI Registry is the online repository for all executive branch-level information, guidance, policy, and requirements on handling CUI, including 32 CFR Part 2002. Among other information, the CUI Registry identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures (see https://www.archives.gov/cui).

CUI security incident. Improper access, use, disclosure, modification, or destruction of CUI, in any form or medium, constitutes a CUI security incident.

Handling. Any use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, reusing, and disposing of the information, constitutes handling.

Lawful Government purpose. CUI may be shared with a person who has a lawful Government purpose to handle the information, which is any activity, mission, function, operation, or endeavor that the Government authorizes or recognizes as within the scope of its legal authorities or the legal authorities of non-executive branch entities, such as state and local law enforcement.

Limited dissemination control. These are any CUI Executive Agent-approved controls identified on the CUI Registry that agencies may use to limit or specify CUI dissemination.

4. Safeguarding, Access, and Dissemination Controls.
a. The NRC will appropriately mark or identify all CUI shared pursuant to this Agreement and identify the information as either CUI Basic or CUI Specified prior to or at the time it is shared.
b. CUI Basic. [Non-Federal Entity] agrees to handle any CUI Basic received pursuant to this Agreement as follows:

3

1. Physical security and handling: Meet the physical security and storage, mailing, reproduction, and transmission requirements in 32 CFR § 2002.14. [Non-Federal entity] may select appropriate methods to meet these requirements;
2. Information systems: [Non-Federal Entity] will select one of the three options listed below by placing an X in one the following blank spaces that applies.

____ [Non-Federal entity] certifies that its non-Federal information systems that may handle CUI are in full compliance with the standards described in the latest version of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations, in effect at the time this Agreement is signed (available at https://csrc.nist.gov/publications/sp800). [Non-Federal entity]

may take possession (e.g., download, forward, or print] of CUI using these information systems.

[Non-Federal entity] agrees to protect the confidentiality of CUI on these information systems in accordance with the standards in NIST SP 800-171, or any alternative or enhanced controls identified in the Appendix for a particular CUI category. Upon request, the NRC may ask to review [Non-Federal entity]s system security plan (SSP) and Plan of Actions and Milestones (POAM), described in NIST SP 800-171.

____ [Non-Federal entity] certifies that it is in the process of ensuring that its non-Federal information systems that may handle CUI are compliant with NIST SP 800-171, and that, at minimum, it has completed the SSP and POAM described in NIST SP 800-171. [Non-Federal entity] may take possession (e.g., download, forward, or print] of CUI using these information systems. [Non-Federal entity] agrees to protect the confidentiality of CUI on its information systems in a manner consistent with these plans, and agrees to protect the confidentiality of CUI on its information systems in accordance with NIST SP 800-171 (or any alternative or enhanced controls identified in the Appendix for a particular CUI category) upon achieving full compliance with the NIST SP 800-171 standards. Upon request, the NRC may ask to review [Non-Federal entity]s SSP and POAM, described in NIST SP 800-171.

____ [Non-Federal entitys] information systems are not in compliance with NIST SP 800-171, nor has [Non-Federal entity] completed the SSP and POAM described in NIST SP 800-171. [Non-Federal entity] understands that the NRC may be unable or unwilling to electronically share CUI with [Non-Federal entity], where the agency has discretion, unless or until [Non-Federal entity],

at minimum, completes an SSP and POAM. The NRC may share CUI with [Non-Federal entity] in hard copy, and [Non-Federal entity] may not digitally convert such CUI for processing, storage, or transmission on any information system. Where feasible, the NRC may share CUI electronically through a view-only platform. If the NRC shares CUI through a platform intended for view-only access, [Non-Federal entity] may view the CUI electronically through the view-only platform but agrees not to take other actions that involve electronic processing, storage, or transmission of the CUI, such as downloading, forwarding, or printing the CUI using any information systems. [Non-Federal entity] understands that all physical security and handling requirements described in this agreement apply to any hard copy CUI.

c. CUI Specified. The NRC will identify any unique safeguarding, access, or dissemination controls for CUI Specified in the Appendix. [Non-Federal Entity] will handle CUI Specified received pursuant to this Agreement consistent with the CUI Basic standards in section 4.a of this Agreement, except to the

4 extent that the CUI Specified is subject to specific handling controls identified in the Appendix, in which case [Non-Federal Entity] will apply those controls. The NRC will ensure that [Non-Federal Entity] is aware of such specified handling controls prior to or at the time the CUI Specified is shared, either through the Appendix or on a case-by-case basis.

5. Duplication or creation of derivative CUI. Any CUI received from the NRC pursuant to this Agreement that is duplicated by [Non-Federal Entity], including but not limited to copying, printing, scanning, or any other means of physical or electronic duplication, must be handled pursuant to this Agreement in the same manner as the original CUI source information. [Non-Federal Entity] must ensure that equipment used for such duplication, such as printers, copiers, scanners, or fax machines, do not retain the data or that such equipment is properly sanitized so as to ensure the information is not retrievable, in accordance with NIST SP 800-53. [Non-Federal Entity] may create derivative documents using CUI that is received pursuant to this Agreement, so long as such derivative documents are then marked and handled pursuant to this Agreement in the same manner as the original CUI source information.
6. Third-party sharing. Unless expressly stated otherwise, this Agreement does not prevent [Non-Federal Entity] from sharing CUI received pursuant to this Agreement so long as such sharing is permitted by the law, regulation, or Government-wide policy governing the CUI and the disclosure furthers a lawful Government purpose. Examples of such disclosure may include, but are not limited to, disclosure to law enforcement agencies or to a court of competent jurisdiction pursuant to a court order. [Non-Federal Entity] is strongly encouraged to contact the NRC point of contact(s) identified in the designation indicator of the document/information prior to sharing any CUI received pursuant to this Agreement if [Non-Federal Entity] is unsure whether this standard is met in a given situation.
7. Limited dissemination controls. The NRC may, at or prior to the time CUI is shared with [Non-Federal Entity], place limited dissemination controls on CUI that expressly restrict sharing that CUI with certain individuals or classes of individuals (e.g., prohibitions on sharing the CUI with foreign governments or foreign nationals, or requirements to share the information only with people or entities on an included distribution list). The NRC will clearly mark and convey such limitations at the time the CUI is shared. The NRC will only utilize such limited dissemination controls when there is a lawful Government purpose for doing so.
8. Point of Contact. The NRC point of contact for the agencys CUI program is included in the Appendix.

[Non-Federal Entity] must utilize the point of contact identified in the Appendix for all questions concerning the scope, applicability, or interpretation of this Agreement, as well as for reporting any CUI security incidents referenced in Section 8.

9. CUI security incidents and misuse.
a. When [Non-Federal Entity] discovers a suspected or confirmed CUI security incident (i.e., information spill or security breach) or misuse of CUI, it must promptly notify the appropriate NRC point of contact identified in the Appendix. This notification must include, to the extent it is known at the time, all relevant circumstances surrounding the incident, including identification of the CUI involved and the extent to which the [Non-Federal Entity] knows or suspects the CUI has been disseminated to or accessed by unauthorized individuals. [Non-Federal Entity] should promptly supplement this initial notification with additional information as it becomes available. The NRC may also request [Non-

5 Federal Entity] to supplement this notification with additional relevant information, when necessary.

Misuse of CUI may serve as a basis for terminating this Agreement or a basis for the NRC to discontinue voluntarily sharing CUI with [Non-Federal Entity].

b. [Non-Federal Entity] reporting obligations under this Agreement are in addition to any other applicable requirements in law, regulation, or policy. This Agreement does not relieve or supersede any such requirements.
10. Assignment. CUI that is shared with [Non-Federal Entity] remains the property of the United States Government and the United States Government retains all rights to any royalties, remunerations, or emoluments that resulted, will result, or may result from any disclosure, publication, or revelation of CUI covered under this Agreement.
11. Enforcement. [Non-Federal Entity] understands that mishandling CUI in contravention of the terms and conditions of this Agreement may subject [Non-Federal Entity] to any applicable administrative, civil, or criminal penalties, as appropriate, under the laws or regulations of the United States applicable to the CUI category involved (see 32 CFR § 2002.16(a)(6)(ii)). The United States Government has not waived any statutory or common law privileges or protections that it may assert in any administrative or court proceeding to protect CUI that is shared pursuant to the terms of this Agreement. The United States Government retains the right to seek any remedy available, including but not limited to application for a court order prohibiting the disclosure of CUI.
12. Modification of Agreement. This Agreement can be amended with the written consent of both Parties.
13. Duration. This Agreement is effective as of the date the last party signs and will remain in effect until termination. Either party may terminate this Agreement by providing notice in writing [x] days prior to the effective date of termination. Upon termination, the NRC will instruct [Non-Federal Entity]

to either return all CUI received pursuant to this Agreement (including any duplicates or derivative works based on CUI received pursuant to this Agreement), destroy such CUI in a manner consistent with 32 CFR § 2002.14(f), or take other appropriate action.

14. Severability. The provisions of this Agreement are deemed to be severable and the invalidity, illegality, or unenforceability of one or more provisions shall not affect the validity, legality, or enforceability of the remaining provisions.
15. Acknowledgment. The Parties to this Agreement represent and warrant that they have the authority to bind their respective organizations to its terms and conditions. All Parties have read this Agreement carefully and agree that they understand its terms and conditions.

Digital Signature

[Non-Federal Entity], Title

[NRC CUI Senior Agency Official]

[Organization Name/Dept]

Office of Chief Information Officer

6 APPENDIX US Nuclear Regulatory Commission (NRC)

1. Point of Contact. For all questions or concerns that arise under this Agreement, including the breach notification requirements of Section 9 of the Agreement, contact the NRC CUI Program at CUI@NRC.GOV. For any breach related to non-cybersecurity incidents, notify CUI@nrc.gov. For any breach related to cybersecurity incidents, notify CUI@nrc.gov and CSIRT@nrc.gov.
2. CUI Basic. NRC may share the following categories of CUI Basic with [Non-Federal Entity] pursuant to this Agreement. Unless otherwise stated, access to CUI Basic is restricted to authorized individuals that have a lawful Government purpose to access the information to perform their work. Any additional specific handling, safeguarding, or dissemination requirements stipulated in the underlying laws, regulations, or Government-wide polices, are identified within each CUI category described below.
a. Archaeological Resources CUI Banner Marking when received from NRC: CUI//ARCHR o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Archaeological Resources Information part is not included, where possible.

The safeguarding and/or dissemination authority(ies) for Archaeological Resources information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/archaeological-resources Additional Requirements (per law, regulation, Government-wide policy):

o Dissemination:

This information cannot be shared with any third parties or foreign entity absent the express consent of the NRC.

b. General Privacy CUI Banner Marking when received from NRC: CUI//PRVCY o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the General Privacy Information part is not included, where possible.

The safeguarding and/or dissemination authority(ies) for General Privacy information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/privacy.html

7

c. General Proprietary Business Information CUI Banner Marking when received from NRC: CUI//PROPIN o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the General Proprietary Business Information part is not included, where possible.

The safeguarding and/or dissemination authority(ies) for General Proprietary Business information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/proprietary-business-info.html

d. Operations Security Information CUI Banner Marking when received from NRC: CUI//OPSEC o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Operations Security Information part is not included, where possible.

The safeguarding and/or dissemination authority(ies) for Operations Security Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/operations-security-info

3. CUI Specified. NRC may share the following categories of CUI Specified with [Non-Federal entity]

pursuant to this Agreement. Unless otherwise stated, access to CUI Specified is restricted to authorized individuals that have a lawful Government purpose to access the information to perform their work.

Any additional specific handling, safeguarding, or dissemination requirements stipulated in the underlying laws, regulations, or Government-wide polices, are identified within each CUI category described below.

a. Criminal History Records Information CUI Banner Marking when received from NRC: CUI//SP-CHRI o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Criminal History Records Information part is not included, where possible.

The safeguarding and/or dissemination authority(ies) for Criminal History Records Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/criminal-history-records-info

8

b. Critical Energy Infrastructure Information CUI Banner Marking when received from NRC: CUI//SP-CEII o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Critical Energy Infrastructure Information part is not included, where possible.

The safeguarding and/or dissemination authority(ies) for Critical Energy Infrastructure Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/critical-energy-infrastructure-information Export Controlled Information CUI Banner Marking when received from NRC: CUI//SP-EXPT o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Export Controlled Information part is not included, where possible.

The safeguarding and/or dissemination authority(ies) for Export Controlled Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/export-control.html Additional Requirements (per law, regulation, Government-wide policy):

o Designation: Export Controlled Information may only be designated by those with the statutory or regulatory authority: Department of Commerce, Department of Energy, and Department of State.

o Access: Access to Export Controlled Information is restricted by the following:

The information must not be available to foreign nationals unless access has been specifically authorized for those individuals by an agency with the authority to grant access.

IT systems that contain Export Controlled Information must not have foreign nationals as system administrators.

Except for the above situation, access must be restricted to U.S.

citizens that have authorization to access the information and a lawful Government purpose to access the information to perform heir NRC work.

o Dissemination: Export Controlled Information may only be shared with a foreign entity specifically authorized access to the information by a U.S. Federal organization authorized to grant that access.

9

c. Historic Properties CUI Banner Marking when received from NRC: CUI//SP-HISTP o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Historic Properties part is not included, where possible.

The safeguarding and/or dissemination authority(ies) for Historic Properties Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/historic-properties Additional Requirements (per law, regulation, Government-wide policy):

o Access: If this information has been designated by the head of a Federal agency or other public official after consultation with the Secretary of interior to withhold from public disclosure, the information must be protected from public disclosure.

d. Nuclear Security-Related Information CUI Banner Marking when received from NRC: CUI//SP-SRI o

This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Nuclear Security-Related Information part is not included, where possible.

The safeguarding and/or dissemination authority(ies) for Nuclear Security-Related Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/nuclear-security-related-info.html The authorities for Nuclear Security-Related Information are:

o NRC Regulatory Issue Summary (RIS) 2005-26, Control of Sensitive Unclassified Non-Safeguards Information Related to Nuclear Power Reactors, November 7, 2005.

o NRC RIS 2005-31, Revision 1, Control of Security-Related Sensitive Unclassified Non-Safeguards Information Handled by Individuals, Firms, and Entities Subject to NRC Regulation of the Use of Source, Byproduct, and Special Nuclear Material, December 26, 2017.

Notwithstanding anything else in this Agreement [Non-Federal Entity] will handle and control Nuclear Security-Related Information received from the NRC consistent with the controls in either RIS shown above.

10

e. Protected Critical Infrastructure Information CUI Banner Marking when received from NRC: CUI//SP-PCII o This information will be isolated by the NRC into an appendix or attachment such that the main document is not sensitive or a lower level of sensitivity when the Protected Critical Infrastructure Information part is not included, where possible.

The safeguarding and/or dissemination authority(ies) for Protected Critical Infrastructure Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/protected-critical-infrastructure-information Additional Requirements (per law, regulation, Government-wide policy):

o Dissemination:

This information cannot be shared with any third parties or foreign entity absent the express consent of the NRC.

f.

Safeguards Information and Safeguards Information-Modified Handling CUI Banner Marking when received from NRC: CUI//SP-SGI The authority for Safeguards Information is 10 CFR Part 73, Physical Protection of Plants and Materials. Notwithstanding anything else in this Agreement

[Non-Federal Entity] will handle and control Safeguards Information received from the NRC pursuant to the terms of this Agreement consistent with the controls in 10 CFR Part 73, as required by law.

All Safeguards Information (both internal and external to the NRC) will continue to have the specific markings required by 10 CFR 73.22(d), Protection of Safeguards Information: Specific Requirements or 10 CFR 73.23(d), Protection of Safeguards Information-Modified Handling: Specific Requirements.

Safeguards Information that is generated or possessed by the NRC will also have the CUI//SP-SGI banner marking located beneath the required marking, in addition to (not in lieu of) the required markings in Part 73.

The safeguarding and/or dissemination authority(ies) for Safeguards Information is provided in the NARA CUI Registry:

https://www.archives.gov/cui/registry/category-detail/safeguards-info

Retrieved from "https://kanterella.com/w/index.php?title=ML22249A154&oldid=3791111"