ML24120A270

From kanterella
Jump to navigation Jump to search
Melody Rodridguez NEI Comment on Controlled Unclassified Information
ML24120A270
Person / Time
Site: Nuclear Energy Institute
Issue date: 04/04/2023
From: Marlen Rodriguez
Nuclear Energy Institute
To: David Cullison
NRC/OCIO
References
Download: ML24120A270 (1)


Text

MELODY RODRIDGUEZ Senior Project Manager 1201 F Street, NW, Suite 1100 Washington, DC 20004 P: 202-739-8086 mcr@nei.org nei.org April 4, 2023 David Cullison Office of the Chief Information Officer U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001 Submitted via Regulations.gov Project Number: 689

Subject:

Industry Comments on the Information Collection for NRC Controlled Unclassified Information Program Information-Sharing Agreement (Docket ID: NRC-2022-0163)

Dear Mr. Cullison:

The Nuclear Energy Institute (NEI)1, on behalf of its members, is responding to the Nuclear Regulatory Commissions (NRC) information collection request entitled NRC Controlled Unclassified Information Program Information-Sharing Agreement.2 Specifically, in accordance with the Paperwork Reduction Act of 1995 (44 USC 3501-3521), the NRC seeks public comment on its intention to request Office of Management and Budget (OMB) approval for the collection of information associated with the NRCs proposed Controlled Unclassified Information (CUI) information-sharing agreement.3 The proposed CUI information-sharing agreement is intended to facilitate the NRCs implementation of a CUI program that meets the requirements of the final CUI Rule issued by the Information Security Oversight Office (ISOO) of the National Archives and Records Administration (NARA) in 2016 and codified at 32 CFR Part 2002.

We have prepared general comments about the NRCs CUI program implementation and its effects on the industry, and we have also prepared specific responses to the four questions posted to the docket. The industry remains committed to supporting the NRC in a successful CUI program implementation but 1 The Nuclear Energy Institute (NEI) is responsible for establishing unified policy on behalf of its members relating to matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEIs members include entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect and engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations involved in the nuclear energy industry.

2 88 Fed. Reg. 7478 (Feb. 3, 2023).

3 The current version of the draft CUI Information Sharing Agreement is available at ADAMS Accession No. ML22249A154.

Mr. David Cullison April 4, 2023 Page 2 continues to have concerns with the burden imposed upon external stakeholders. We do not believe that the execution of an information-sharing agreement is necessary for the NRC to successfully implement its program because of the discretion granted within the CUI Rule, but to the extent that an agreement is executed, it could be enhanced by substantially simplifying its contents to focus on the minimum requirements prescribed by NARA regulations and by providing ample time for external stakeholders to execute the agreements. Additionally, the NRC underestimates the resource burden to execute the agreements.

I.

General Comments NEI recognizes that the CUI Rule applies directly to Federal executive branch agencies, including the NRC, and that the NRC is obligated to implement a CUI program that meets the rules requirements. We also appreciate the substantial efforts undertaken by the NRC to develop and implement its CUI program and to include affected stakeholders in that process.

However, we remain concerned about the burdens and unforeseen consequences CUI program implementation will impose on the industry. We continue to communicate these issues to the NRC and endeavor to resolve them in a manner that minimizes burden. As discussed during the NRCs January 10, 2023, closed virtual meeting with the industry, while the current version of the information-sharing agreement now includes view-only and hard copy options, those options do not fully address our concerns relative to the viability of the NRCs current CUI implementation approach and associated burdens on the industry. We elaborate on some of those concerns below in our responses to the specific questions posed by the NRC.

II.

Responses to NRCs Specific Questions

1. Is the proposed collection of information necessary for the NRC to properly perform its functions? Does the information have practical utility? Please explain your answer.

We do not view the execution of CUI information-sharing agreements with non-executive branch entities to be necessary to either the NRCs ability to comply with the CUI Rule or meet its legal obligations under its authorizing statutes. As noted above, the CUI Rule provides that federal agencies should enter into such agreements with non-executive branch entities whenever feasible. Moreover, Section 2002.16(a)(5)(ii) of the CUI Rule explicitly recognizes that agencies may need to share CUI without a formal information-sharing agreement in carrying out its statutory mission. In such situations, the CUI Rule directs federal agencies to communicate to the recipient that the Government strongly encourages the non-executive branch entity to protect CUI in accordance with [Executive Order 13556], [32 CFR Part 2002], and the CUI Registry, and that such protections should accompany the CUI if the entity disseminates it further. Notably, the CUI Rule

Mr. David Cullison April 4, 2023 Page 3 seeks to balance and to minimize unnecessarily restrictive policies and practices by setting out a framework of rules within which agencies may exercise their discretion.4 The NRC has acknowledged this discretion in RIS 2022-03, NRC Plans to Establish Controlled Unclassified Information-Sharing Agreements with Non-Executive-Branch Entities. The NRC explains in the RIS that because it would not normally expect an entity without a signed agreement to have information systems in place that comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations, it generally would share CUI with such an entity only in view only mode or in hard copy format. Significantly, the RIS also notes that there may be emergent situations where the NRC would electronically share CUI in a mode other than view only with an entity that lacks a signed agreement, where the NRC has reason to believe that the entity is capable of protecting the information on its own systems in a manner consistent with NIST SP 800-171, notwithstanding the absence of an agreement. It further notes that electronic sharing in a mode other than view only may be found necessary to accomplish the NRCs mission or to support compliance with legal or regulatory requirements or government-wide policies.5 Based upon a combination of the CUI Rule provisions and NRC statements, it is our understanding that a CUI information-sharing agreement is not imperative as either a legal or practical matter. In fact, for entities that have not executed a CUI information-sharing agreement with the NRC or have information systems that are not in compliance or expected to become in compliance with NIST SP 800-171, the NRC has indicated that it nonetheless may share CUI with such entities via a view-only electronic platform. Finally, to our knowledge, other federal agencies from whom our members receive CUI have not proposed similarly restrictive agreements with non-executive branch entities. Thus, the industry will be in the position of handling CUI from the NRC differently than they will handle CUI from other federal agencies, increasing the burdens related to information protection and introducing vulnerability to unnecessary error. This variability in approach among executive agencies raises further questions about whether a CUI information-sharing agreement is necessary at all.

2. Is the estimate of the burden of the information collection accurate? Please explain your answer.

The NRC estimates a total annual compliance burden of 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> for this information collection, but that estimate appears to be substantially low. Based on experience and communications with NEI members, we anticipate that any decision by a member organization to enter into a CUI information-sharing agreement with the NRC will entail significant internal coordination among various divisions or offices within the organization (e.g., legal, regulatory affairs/compliance, information technology (IT), records management) and possibly consultation with external legal and IT vendors. These activities could require weeks, if not months, depending on the organizations internal protocols, current human and technology resources, and level of familiarity with the CUI program and NRCs implementation thereof.

4 NARA, CUI Rule, 81 Fed. Reg. at 63331.

5 RIS 2022-03 at 5.

Mr. David Cullison April 4, 2023 Page 4 We believe the burden costs of entering into the current version of the NRCs proposed CUI information-sharing agreement must be viewed and analyzed more holistically. A companys decision to execute the agreement - particularly if it chooses to certify that is in full compliance with NIST SP 800-171 or is in the process of ensuring that its non-executive branch information systems may handle CUI consistent with NIST SP 800-171 - likely would trigger an array of supporting activities and associated costs (both one-time and recurring). Such activities could include, but not be limited to, hiring of additional personnel and contractors, procedure updates, acquisition of new hardware or equipment, IT system modifications and upgrades, and employee training and support. Again, the time required to complete such activities is likely to be measured in weeks and months, not hours.

3. Is there a way to enhance the quality, utility, and clarity of the information to be collected?

We believe the NRC could enhance the quality, utility, and clarity of the CUI information-sharing agreement by substantially simplifying its contents to focus on the minimum requirements prescribed by NARA regulations. Specifically, 32 CFR 2002.16(a)(6) provides:

At a minimum, agreements with non-executive branch entities must include provisions that state: (i) Non-executive branch entities must handle CUI in accordance with

[Executive Order 13556], this part, and the CUI Registry; (ii) Misuse of CUI is subject to penalties established in applicable laws, regulations, or Government-wide policies; and (iii) The non-executive branch entity must report any non-compliance with handling requirements to the disseminating agency using methods approved by that agencys SAO.

When the disseminating agency is not the designating agency, the disseminating agency must notify the designating agency.

We view the current version of the agreement as being too prescriptive and limiting in nature because it effectively constrains any party signing the agreement to three options - NIST SP 800-171 compliance (demonstrated or in progress), electronic view-only access, and hard copies. As a result, the proposed agreement reduces the flexibility and agency discretion afforded by NARA regulations and contained in RIS 2022-03, and disincentivizes stakeholders from entering into the agreement. Establishing and maintaining compliance with NIST SP 800-171 standards requires significant effort and resources. Moreover, relying exclusively on view-only and/or hard copies of CUI, which cannot be electronically processed, stored, or transmitted (or duplicated without being subject to the same controls) under the current agreement, presents its own practical and legal challenges (e.g., meeting certain recordkeeping requirements).

Additionally, as discussed in response to Question 1, there is no utility in requiring CUI information-sharing agreements with all non-federal entities, because it is not required under 32 CFR 2002, and because NRCs proposed implementation is inconsistent with the implementation of other federal agencies.

Mr. David Cullison April 4, 2023 Page 5 4.

How can the burden of the information collection on respondents be minimized, including the use of automated collection techniques or other forms of information technology?

The burden of the information collection on respondents can be minimized by simplifying the contents of the CUI information-sharing agreement in order to facilitate a faster legal review process, and by providing non-executive branch entities with the agreement 2-3 months in advance of the planned execution date, in order to provide ample time for licensee legal review.

In summary, we appreciate this opportunity to comment on the information collection request for NRCs CUI information-sharing agreement and the agencys consideration of the concerns and approaches described in this letter. NEI members recognize the need to protect CUI from unauthorized disclosure and are committed to ensuring that this need is met. We look forward to continued engagement with the NRC to support CUI program implementation in an adequately effective and reasonable manner for external stakeholders.

If you have any questions or require additional information, please contact me at 202.739.8086 or mcr@nei.org.

Sincerely, Melody Rodriguez c:

Lois James, NRR, NRC Tanya Mensah, OCIO, NRC