Text

Dr. Jennifer Uhle, Vice President Generation and Suppliers Nuclear Energy Institute 1201 F Street, NW, Suite 1100 Washington, DC 20004

SUBJECT:

PROPOSAL TO TRANSMIT SAFEGUARDS INFORMATION VIA CLOUD-BASED SYSTEMS

Dear Dr. Jennifer Uhle:

In your September 16, 2022, letter (Agencywide Documents Access and Management System Accession No. ML22286A076), the Nuclear Energy Institute (NEI) outlined its position with respect to the transmission of Safeguards Information (SGI), including voice communications, on cloud-based systems. It is the U.S. Nuclear Regulatory Commissions (NRCs) understanding, based on conversations with your staff, that NEI is not contemplating the transmission of videos or documents containing SGI over cloud-based systems.

The letter seeks NRCs concurrence on NEIs position that it is acceptable for licensees to transmit SGI on cloud-based communications/collaboration platforms with capabilities sufficient to provide high assurance1 that the SGI is protected against unauthorized disclosure before, during, and after transmission. Title 10 of the Code of Federal Regulations (10 CFR) 73.22(f)(3) requires, in part, that SGI transmissions are encrypted by a method meeting Federal Information Processing Standard (FIPS) 140-2 or later. The letter also states that the combination of Federal Risk and Management Program (FedRAMP) authorization, appropriate administrative controls, and FIPS 140-2 compliance would provide comprehensive controls for the protection of SGI. As FedRAMP authorization requires the use of FIPS 140-2 encryption of data in transit, the staff has concluded that a FedRAMP-based solution can be used to assist in determining whether a particular solution meets the encryption requirements in 10 CFR 73.22. However, the staff was unable to conclude, based on the information provided, whether a solution based on FedRAMP's equivalent levels of security but hosted outside the FedRAMP environment (i.e. a commercially provided hosted solution) would be sufficient in the protection of SGI.

Paragraph 73.22(f)(3) of 10 CFR further requires, in part, that except under emergency conditions, SGI shall be transmitted outside an authorized place of use or storage only by NRC-approved secure electronic devices. The letter states that NEIs position is that the NRC should consider any application that is FedRAMP-authorized as acceptable for use when appropriate administrative controls are implemented to ensure SGI is protected before, during, and after transmission. Without further information about the specific administrative and security 1 10 CFR 73.22(f)(3) requires, in part, that when transmitting SGI outside authorized places of use and storage, transmitters and receivers implement processes that will provide high assurance that SGI is protected before and after the transmission. In SRM-SECY-16-0073, Options and Recommendations for the Force-on-Force Inspection Program in Response to SRM-SECY-14-0088, the Commission stated that the concept of high assurance of adequate protection found in our security regulations is equivalent to reasonable assurance when it comes to determining what level of regulation is appropriate. In this letter, the term high assurance is used in alignment with Commission policy statements that high assurance is equivalent to reasonable assurance of adequate protection.

September 12, 2024

J. Uhle 2

controls that would apply to these solutions, as well as additional information about the specific hardware that would support it, the NRC is unable to determine whether such a solution would constitute an NRC-approved secure electronic device under 10 CFR 73.22(f)(3).

Additionally, the letter states that NEIs position is that 10 CFR 73.22(g) is related to storing, processing, and producing SGI and should not be applied to the transmission of SGI if the networked computer does not store, process, or produce SGI. However, the letter does not provide a sufficient basis for concluding that a device that encodes, encrypts, transmits, receives, and decrypts SGI voice communications is not processing that communication in a manner that would be subject to the requirements in 10 CFR 73.22(g)(1). Additionally, the staff does not have sufficient information to determine whether the proposed hardware and software solutions would constitute a computer subject to 10 CFR 73.22(g)(2), a mobile device subject to 10 CFR 73.22(g)(3), or an electronic system subject to 10 CFR 73.22(g)(4).

The NRC staff recommends discussing these issues at a future public meeting. The enclosure to this letter provides additional considerations as a starting point for that public meeting discussion. We look forward to future discussions and additional information to make a risk-informed decision regarding this request.

If you have any questions regarding this issue, please contact Mr. Mark MacDonald, Chief, Information Security Branch, at mark.macdonald@nrc.gov.

Sincerely, Craig Erlanger, Acting Director Office of Nuclear Security and Incident Response

Enclosure:

Initial Questions Regarding Remote Use of Safeguards Information Signed by Erlanger, Craig on 09/12/24

Ltr ML22286A075 OFFICE OCIO/GEMSD/CSB

/CSOT NSIR/DSO/ISB NSIR/DSO OGC/GCRPS

/HLWFCNS/NLO NAME MMangefrida DParsons TInverso BYip for NSt.

DATE Mar 20, 2024 Mar 21, 2024 Mar 21, 2024 Apr 1, 2024 OFFICE NSIR NAME CErlanger DATE Sep 12, 2024