ML24351A165
| ML24351A165 | |
| Person / Time | |
|---|---|
| Issue date: | 02/10/2025 |
| From: | Craig Erlanger, Kevin Williams Office of Nuclear Security and Incident Response |
| To: | |
| References | |
| MD 12.4 | |
| Download: ML24351A165 (1) | |
Text
U.S. NUCLEAR REGULATORY COMMISSION MANAGEMENT DIRECTIVE (MD)
For updates or revisions to policies contained in this MD that were issued after the MD was signed, please see the Yellow Announcement to Management Directive index (YA-to-MD index).
MD 12.4 NRC COMMUNICATIONS SECURITY (COMSEC) PROGRAM DT-25-01 Volume 12:
Security Approved By:
Kevin Williams, Deputy Director Office of Nuclear Security and Incident Response Date Approved:
February 10, 2025 Cert. Date:
N/A, for the latest version of any NRC directive or handbook, see the online MD Catalog Issuing Office:
Office of Nuclear Security and Incident Response Contact Name:
Curtis Newkirk EXECUTIVE
SUMMARY
Management Directive (MD) 12.4, NRC Communications Security (COMSEC) Program, reflects revisions to COMSEC policy and program changes that highlight communications security. MD 12.4 outlines how the U.S. Nuclear Regulatory Commission (NRC) COMSEC Program does the following:
Aligns with national COMSEC policy, Safeguards classified information using secure telecommunications systems, Ensures the availability of COMSEC supporting the NRCs mission essential functions, and Identifies various responsibilities and delegations of authority within the NRC.
Additional changes to the MD include updates to references and the removal of references to sensitive unclassified non-safeguards information and controlled unclassified information (CUI) as these are separate programs discussed in MD 12.6, NRC Controlled Unclassified Information (CUI) Program.
TABLE OF CONTENTS I.
POLICY................................................................................................................................ 2 II.
OBJECTIVES...................................................................................................................... 2 III.
ORGANIZATIONAL RESPONSIBILITIES AND DELEGATIONS OF AUTHORITY........... 3 A. Chairman........................................................................................................................ 3 B. Office of the General Counsel (OGC)............................................................................ 3
MD 12.4 NRC COMMUNICATIONS SECURITY (COMSEC) PROGRAM Date Approved: 02/10/2025 For the latest version of any NRC directive or handbook, see the online MD Catalog.
2 C. Executive Director for Operations (EDO)....................................................................... 3 D. Director, Office of Nuclear Security and Incident Response (NSIR).............................. 4 E. Director, Office of Administration (ADM)........................................................................ 4 F. Regional Administrators................................................................................................. 4 IV.
APPLICABILITY.................................................................................................................. 5 V.
NRC COMMUNICATIONS SECURITY PROGRAM............................................................ 5 A. General.......................................................................................................................... 5 B. Federal Requirement to Implement the Policies and Directives of the Committee on National Security Systems...................................................................... 5 C. Transmission of Classified Information.......................................................................... 6 VI.
ABBREVIATIONS............................................................................................................... 6 VII. REFERENCES..................................................................................................................... 6 I. POLICY A. It is the policy of the U.S. Nuclear Regulatory Commission (NRC) to protect all classified information transmitted on telecommunications systems under its security jurisdiction as required by law. Committee on National Security Systems Instruction (CNSSI) No. 4009, Committee on National Security Systems (CNSS) Glossary, defines communications security (COMSEC) as a component of Cybersecurity that deals with measures and controls taken to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such telecommunications.
B. COMSEC includes cryptographic security, transmission security, emissions security, and physical security of COMSEC material and information. Specifically, the NRC will safeguard and control COMSEC materials to ensure their continued integrity, prevent access by unauthorized persons, and reduce the risk of unauthorized access to COMSEC materials, techniques, and technology.
II. OBJECTIVES Align with national COMSEC policy in accordance with CNSS Policy No. 1, National Policy for Safeguarding and Control of COMSEC Materials, issued May 2023.
Establish a centralized COMSEC material control system for the agency, integrating all COMSEC keying material.
Safeguard national security information, restricted data, and formerly restricted data communicated on telecommunications systems.
MD 12.4 NRC COMMUNICATIONS SECURITY (COMSEC) PROGRAM Date Approved: 02/10/2025 For the latest version of any NRC directive or handbook, see the online MD Catalog.
3 Safeguard classified information communicated over telecommunications systems that prepare, transmit, communicate, or process the information (e.g., writing, images, sounds, or other data) by electric, electromagnetic, electromechanical, electro-optical, or other electronic means, using media such as twisted pair cable, coaxial cable, fiber optic cable, microwave, radio frequency, infrared, or satellite.
Safeguard and control COMSEC to ensure its continued integrity and availability for authorized users while reducing the risk of unauthorized access to COMSEC materials, techniques, and technologies.
III. ORGANIZATIONAL RESPONSIBILITIES AND DELEGATIONS OF AUTHORITY A. Chairman Ensures that the agency has implemented a COMSEC program that aligns with CNSS Policy No. 1.
B. Office of the General Counsel (OGC)
- 1. Reviews any legal concerns regarding the NRCs transfer of information to foreign governments or international organizations.
- 2. Advises and assists the NRC staff in developing procedures to comply with the Freedom of Information Act (FOIA) (5 U.S.C. 552) as it relates to public request for COMSEC related documents.
- 3. Advises and assists the NRC staff in complying with statutes, Executive Orders, and regulatory requirements, including the Atomic Energy Act of 1954, as amended, and 10 CFR Part 95, Facility Security Clearance and Safeguarding of National Security Information and Restricted Data, related to the creation, handling, and processing of classified information.
C. Executive Director for Operations (EDO)
- 1. Ensures agency compliance with the requirements imposed by the National Security Agency (NSA) and the CNSS, along with related policies, procedures, standards, and guidelines.
- 2. Designates the Chief Information Officer (CIO); the Deputy Executive Director for Nuclear Materials, Administrative, and Corporate Programs (DEDM); and the Deputy Executive Director for Reactor and Preparedness Programs (DEDR), collectively, as the NRCs Designated Authorizing Official.
MD 12.4 NRC COMMUNICATIONS SECURITY (COMSEC) PROGRAM Date Approved: 02/10/2025 For the latest version of any NRC directive or handbook, see the online MD Catalog.
4 D. Director, Office of Nuclear Security and Incident Response (NSIR)
- 1. Ensures a Central Office of Record (COR) is assigned as the NRC representative to NSA for all matters relating to COMSEC.
- 2. Ensures that the Office of Nuclear Security and Incident Response (NSIR) maintains the primary COR account and manages the subordinate COMSEC accounts, including headquarters and regional COMSEC accounts.
- 3. Ensures the COR meets reporting requirements to the NSA.
- 4. Ensures that the office has a qualified and trained COMSEC manager, a minimum of one alternate COMSEC manager, a COR, and an alternate COR.
- 5. Ensures COMSEC materials are available to implement the program.
- 6. Oversees and takes full responsibility for the NRCs COMSEC program through COR functions.
- 7. Ensures that NSIR assigns subject matter experts for cryptographic equipment and determines cryptographic requirements, including specifications for acquisition and implementation of COMSEC materials and controlled cryptographic items (CCI).
- 8. Ensures that NSIR reports all security incidents involving COMSEC materials, CCI, and facilities housing COMSEC materials and CCI to the NRC COR and the NSA.
- 9. Ensure that NSIR trains users of COMSEC materials before granting them access to those materials.
E. Director, Office of Administration (ADM)
- 1. Ensures physical security requirements are met and maintained for the protection of COMSEC materials and CCI.
- 2. Reports all security incidents involving COMSEC materials, CCI, and facilities housing COMSEC materials and CCI to the NRC COR.
- 3. Ensures personnel handling COMSEC materials or CCI are properly cleared.
F. Regional Administrators
- 1. Ensure that each regional office maintains a COMSEC program subordinate to the COMSEC program at headquarters.
- 2. Ensure that each regional office has a qualified and trained COMSEC manager and a minimum of one alternate COMSEC manager.
MD 12.4 NRC COMMUNICATIONS SECURITY (COMSEC) PROGRAM Date Approved: 02/10/2025 For the latest version of any NRC directive or handbook, see the online MD Catalog.
5
- 3. Ensure that the regional COMSEC managers are afforded the appropriate amount of time to perform their duties.
- 4. Ensure that each regional office operates, maintains, tests, and secures communications equipment using COMSEC equipment to meet the agencys mission essential functions (e.g., maintain situational awareness). The need for a secure communication capability was evident during natural disasters (e.g., hurricanes) and the NRCs response to the COVID-19 pandemic. Secure mobile phones can be used to provide secure mobile communications to the staff from any location. COMSEC equipment includes, but is not limited to, the following:
(a) Telephones (wired, satellite, and cellular),
(b) Facsimiles and digital senders, (c) Radios, (d) Video and video teleconferencing systems, (e) Networks (wired and wireless).
IV. APPLICABILITY The policy and guidance in this management directive (MD) apply to all NRC employees, contractors, and consultants. This MD does not apply to licensees unless the NRC specifically and directly applies this MD to them through a licensing action.
V. NRC COMMUNICATIONS SECURITY PROGRAM A. General The NRC COMSEC program is governed by guidance and policies established by the CNSS and the NSA. The committee includes voting members from 21 U.S. Government executive branch departments and agencies. In addition, 14 official committee observers represent additional organizations, including the NRC. The CNSS protects national security systems by developing operating policies, procedures, guidelines, directives, instructions, and standards as necessary to implement National Security Directive 42, National Policy on the Security of National Security Telecommunications and Information Systems, dated July 5, 1990.
B. Federal Requirement to Implement the Policies and Directives of the Committee on National Security Systems The CNSS intends its policies and directives for entities that own or use (or both) national security systems. The heads of the executive departments and agencies ensure
MD 12.4 NRC COMMUNICATIONS SECURITY (COMSEC) PROGRAM Date Approved: 02/10/2025 For the latest version of any NRC directive or handbook, see the online MD Catalog.
6 the implementation of CNSS policies and directives within their departments or agencies. As an owner and user of national security systems, the NRC is required to implement the policies and directives issued by the CNSS.
C. Transmission of Classified Information All routine electronic classified information must be transmitted using technologies in accordance with MD 12.5, NRC Cybersecurity Program. MD 12.2, NRC Classified Information Security Program, contains the policy and procedures to protect and control classified information.
VI. ABBREVIATIONS CCI controlled cryptographic items CFR Code of Federal Regulations CNSS Committee on National Security Systems CNSSI Committee on National Security Systems Instruction COMSEC communications security COR Central Office of Record CUI controlled unclassified information FOIA Freedom of Information Act MD management directive NRC U.S. Nuclear Regulatory Commission NSA National Security Agency NSIR Office of Nuclear Security and Incident Response PA Privacy Act VII. REFERENCES Executive Orders Executive Order 12333 as amended, United States Intelligence Activities, December 4, 1981.
Executive Order 13231, Critical Infrastructure Protection in the Information Age, October 16, 2001.
MD 12.4 NRC COMMUNICATIONS SECURITY (COMSEC) PROGRAM Date Approved: 02/10/2025 For the latest version of any NRC directive or handbook, see the online MD Catalog.
7 Executive Order 13284, Amendment of Executive Orders and Other Actions, in Connection with the Establishment of the Department of Homeland Security, January 23, 2003.
Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, October 7, 2011.
National Security Policy and Memoranda CNSS Policy No. 1, National Policy for Safeguarding and Control of COMSEC Materials, May 2023.
CNSSI No. 4005, Safeguarding Communications Security Facilities and Materials, August 22, 2011.
CNSSI No. 4009, Glossary, March 7, 2022.
NSA Central Security Service Policy Manual No. 3-16, Control of Communications Security Material, January 24, 2020.
National Security Directive 42, National Policy for the Security of National Security Telecommunications and Information Systems, July 5, 1990.
U.S. Nuclear Regulatory Commission Management Directives 3.1, Freedom of Information Act.
3.2, Privacy Act.
12.1, NRC Facility Security Program.
12.2, NRC Classified Information Security Program.
12.3, NRC Personnel Security Program.
12.5, NRC Cybersecurity Program.
12.6, NRC Controlled Unclassified Information (CUI) Program.
United States Code Atomic Energy Act of 1954, as amended (42 U.S.C. 2011 et seq.).
Energy Policy Act of 2005, Pub. L. 109-58.