ML22251A084

From kanterella
Jump to navigation Jump to search
Draft Supporting Statement - NRC CUI Information Sharing Agreement
ML22251A084
Person / Time
Issue date: 01/24/2023
From:
NRC/OCIO
To:
Shared Package
ML22258A170 List:
References
Download: ML22251A084 (6)
v  d  e


Text

DRAFT SUPPORTING STATEMENT FOR NRC Controlled Unclassified Information Program Information-Sharing Agreement (3150-XXXX)

NEW Description of the Information Collection The CUI program was established pursuant to Executive Order 13556, "Controlled Unclassified Information." The National Archives and Records Administration (NARA) has issued government-wide implementing regulations for executive branch agencies to implement the CUI program at 32 CFR Part 2002.

32 CFR 2002.16(a)(5)(i), Information-sharing agreements, requires agencies to enter into a formal CUI information-sharing agreement, whenever feasible, when they intend to share CUI in any form (hard copy or electronic) with non-executive branch entities. To implement this requirement, the NRC developed a formal information-sharing agreement to comply with this requirement and to facilitate the agencys ability to share CUI with non-executive branch entities. In addition, if the non-executive branch entitys information systems process or store CUI, the CUI Rule requires agencies to prescribe National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, when establishing security requirements in written agreements to protect the CUIs confidentiality.

Any non-executive branch entity (i.e., licensees, applicants, vendors, State, Local, Tribal Governments, etc.) that the NRC intends to share CUI regardless of form (hard copy or electronic) will be asked to voluntarily sign the CUI information-sharing agreement. This agreement contains reporting and recordkeeping requirements for non-executive branch entities to review and submit the signed information-sharing agreement to the NRC, to report any non-compliance when handling CUI to the NRC, and to report if their information systems meet the CUI security requirements in NIST SP 800-171. The establishment of this agreement satisfies the requirements under 32 CFR 2002.16(a)(5)(i), Information-sharing agreements.

A. JUSTIFICATION

1. Need For the Collection of Information
  • 32 CFR 2002.16(a)(5)(i), Information-sharing agreements, requires agencies to enter into a formal agreement, whenever feasible, when they intend to share CUI in any form (hard copy or electronic) with non-executive branch entities. By regulation, agreements with non-executive branch entities must include provisions that state:

o Non-executive branch entities must handle CUI in accordance with Executive Order 13556, 32 CFR 2002, and the CUI Registry (see 32 CFR 2002.16(a)(5)(i) and (6)(i)).

o Misuse of CUI is subject to penalties established in applicable laws, regulations, or Government-wide polices (see 32 CFR 2002.16(a)(6)(ii); and The non-executive branch entity must report any non-compliance with handling requirements to the disseminating agency using methods approved by that agencys CUI Senior Agency Official.

  • The NRC information-sharing agreement includes these required provisions, including the requirement for non-executive branch entities to report any non-compliance with handling CUI (See Section 9, CUI security incidents and misuse, of the NRC information-sharing agreement).
  • The NRC intends to enter into formal information-sharing agreements with non-executive branch entities before the agency transitions to CUI. The NRC informs non-executive branch entities of the status of its transition to CUI during routine NRC CUI public meetings and by including updates on the NRCs CUI public website:

https://www.nrc.gov/reading-rm/cui.html. The NRC will make the formal information-sharing agreement available to non-executive branch entities for voluntary signature in a fillable-fileable format, or in hard copy format upon request. Any non-executive branch entity may transmit the signed agreement to the NRC in electronic or hard copy format.

2. Agency Use and Practical Utility of Information The information requested in Section 9 of the CUI information-sharing agreement is the minimum necessary for non-executive branch entities to report a non-compliance, when handling CUI, to the NRC.

The information reported will be analyzed by the NRC to facilitate the rapid resolution of any breaches of CUI and to implement any mitigation efforts to minimize further security risks.

In addition, this information-sharing agreement helps the NRC to comply with the CUI rule requirement to establish formal CUI information-sharing agreements with its stakeholders and to support the NRCs ability to identify how CUI will be shared with each signee of the agreement.

3. Reduction of Burden Through Information Technology The NRC staff estimates that approximately 100% of any potential CUI security incidents and misuse will be reported to the NRC electronically. There will be no paper-based submissions to implement this reporting requirement.
4. Effort to Identify Duplication and Use Similar Information No sources of similar information are available. There is no duplication of requirements.
5. Effort to Reduce Small Business Burden Since the requirements for handling and storing CUI are the same for large and small entities, it is not possible to reduce the burden on small businesses by imposing less frequent or less complete reporting or recordkeeping requirements.
6. Consequences to Federal Program or Policy Activities if the Collection Is Not Conducted or Is Conducted Less Frequently This information is collected only when a non-executive branch entity reports any mishandling or misuse of CUI to the NRC. It could not be less frequently. If the collection of information were not collected, the NRC could not comply with the requirements of 32 CFR 2002.16(a)(6)(iii). Specifically, the NRC will have no way to be informed of CUI security incidents when the non-executive branch entity mishandles or misuses CUI disseminated to them by the NRC staff.
7. Circumstances Which Justify Variation from OMB Guidelines Not applicable.
8. Consultations Outside the NRC Opportunity for public comment on the information collection requirements for this clearance package was published In the Federal Register .
9. Payment or Gift to Respondents Not applicable.
10. Confidentiality of Information Confidential and proprietary information is protected in accordance with NRC regulations at 10 CFR 9.17(a) and 10 CFR 2.390(b).
11. Justification for Sensitive Questions This information collection does not request sensitive information.
12. Estimated Burden and Burden Hour Cost The following estimates are based upon the NRCs review of its existing information-sharing program.
a. Reporting burden for each non-executive entity review of the NRCs CUI information-sharing agreement On average, the NRC estimates that it will take a non-executive branch entity approximately ten hours to review, sign, and submit the signed agreement to the NRC. This estimate is based upon the fact that many of the non-executive branch entities that are expected to receive CUI from the NRC, are already receiving sensitive unclassified information from the NRC under its existing information-sharing program. Although the concept of protecting sensitive unclassified information consistent with any applicable laws, regulations, or governmentwide policies is not new to these non-executive branch entities, the NRCs CUI information-sharing agreement is new. Therefore, the NRC expects that it would take approximately ten hours to support their internal review and signature within their respective organizations. In addition, the NRC expects one response per each respondent. Commented [DC1]: Responses per respondent?

Commented [TM2R1]: We only expect one

b. Reporting burden for each non-executive branch entity report suspected CUI response per each respondent. The response being security incidents that they sign the agreement. They do not have to sign multiple agreements. Does my proposed edit address your question or were you seeking A CUI security incident is the improper access, use, disclosure, modification, or additional clarification? Thank you.

destruction of CUI, in any form or medium. The NRC currently estimates that:

o It will receive approximately twenty-five reports per year (25 different respondents submitting one report annually). Commented [DC3]: Am I correct to assume this is for 25 different respondents per year.

o It will take the non-executive branch entity approximately four hours to Commented [TM4R3]: For the purposes of this prepare, review, and submit the initial notification to the NRC, to the extent information collection, we are assuming that this is that it is known at the time. The notification would include the information 25 different respondents, each submitting 1 report.

required in Section 9 of the NRCs information-sharing agreement. But because I have no way to predict what type of security incidents could occur in the future, the potential exists for a respondent to report more than o The non-executive branch entity may also need to promptly supplement any one security incident.

initial notification to the NRC with additional information as it becomes available. At this time, the NRC roughly estimates receiving approximately one follow-up notification from the non-executive branch entity.

c. The NRC estimates that it will take the non-executive branch entity approximately one hour to prepare, review, and submit any follow-up notification to the NRC.Recordkeeping burden for each non-executive branch entity developing and maintaining the record to demonstrate compliance with NIST SP 800-171.

Based upon feedback provided by non-executive branch entities during recent NRC CUI public meetings, the NRC does not anticipate any recordkeeping

burden for non-executive branch entities to maintain records of their compliance with NIST SP 800-171 security requirements.

The $288 hourly rate used in the burden estimates is based on the Nuclear Regulatory Commissions fee for hourly rates as noted in 10 CFR 170.20 Average cost per professional staff-hour. For more information on the basis of this rate, see the Revision of Fee Schedules; Fee Recovery for Fiscal Year 2021 (86 FR 32146, June 17, 2021).

Table 1: Reporting and Recordkeeping Burden Hours/Burden Cost to Respondents Estimated Estimated Estimated Estimated Estimated Burden Responses Burden Rate Total Cost Item Hours (yr) (hrs/yr) ($/hr) ($/hr)

Review, sign, and submit the information- 10 1,236 12,360 $288.00 3,559,680 sharing agreement Initial review and reporting of a CUI 4 25 100 $288.00 $28,800.00 security incident or breach Follow-on reporting of a CUI security 1 25 25 $288.00 $7.200.00 incident or breach Recordkeeping burden for each non-executive branch entity developing and 1 0 0 0 0 maintaining the record to demonstrate compliance with NIST SP 800-171.

Totals 12,485 $3,595,680.00

13. Estimate of Other Additional Costs There are no additional costs.
14. Estimated Annualized Cost to the Federal Government The NRC estimates that it takes approximately:

o 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to review the initial report and process each notification.

o 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to review one follow up notification. Commented [DC5]: Am I correct to assume that we do not anticipate any burden to the Federal Table 2: Burden Hour/Burden Cost to the Federal Government Government for reviewing the submitted Information Sharing Agreements?

Estimated Estimated Estimate Commented [TM6R5]: That is correct.

Estimate Estimated Responses Burden d Rate Item d Hours Total Cost (yr) (hrs/yr) ($/hr)

Review initial report and 1 25 25 hrs/year $288.00 $7, 200.00 process Review follow 1 25 25 hrs/year $288.00 $7, 200.00 up notification Totals $14,400.00

15. Reasons for Change in Burden or Cost This is a new clearance.
16. Publication for Statistical Use Not applicable. The NRC does not plan to publish this information for statistical use.
17. Reason for Not Displaying the Expiration Date The form in this information collection will display the OMB Control Number and the expiration date of OMB approval.
18. Exceptions to the Certification Statement There are no exceptions.

B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS Not Applicable

Retrieved from "https://kanterella.com/w/index.php?title=ML22251A084&oldid=3526520"