RIS 2022-03, NRC Plans to Establish Controlled Unclassified Information-Sharing Agreements with Non-Executive Branch Entities

From kanterella
(Redirected from RIS 2022-03)
Jump to navigation Jump to search
NRC Plans to Establish Controlled Unclassified Information-Sharing Agreements with Non-Executive Branch Entities
ML22132A212
Person / Time
Issue date: 12/08/2022
From: Brian Benney, Tanya Mensah
Office of Nuclear Reactor Regulation, NRC/OCIO
To:
Tanya Mensah; Brian Benney
References
RIS 2022-03
Download: ML22132A212 (8)


UNITED STATES

NUCLEAR REGULATORY COMMISSION

OFFICE OF THE CHIEF INFORMATION OFFICER

OFFICE OF NUCLEAR MATERIAL SAFETY AND SAFEGUARDS

OFFICE OF NUCLEAR REACTOR REGULATION

OFFICE OF NUCLEAR SECURITY AND INCIDENT RESPONSE

WASHINGTON, DC 20555-0001 December 8, 2022 NRC REGULATORY ISSUE SUMMARY 2022-03 NRC PLANS TO ESTABLISH CONTROLLED UNCLASSIFIED INFORMATION-SHARING

AGREEMENTS WITH NON-EXECUTIVE-BRANCH ENTITIES

ADDRESSEES

All U.S. Nuclear Regulatory Commission (NRC) licensees, applicants, Certificate of Compliance (CoC) holders, Agreement State Radiation Control Program Directors, State Liaison Officers, and Tribes.

INTENT

The NRC is issuing this regulatory issue summary (RIS) to addressees for the following two purposes:

(1) to communicate the agencys plans to discontinue its Sensitive Unclassified Non-Safeguards Information (SUNSI) program and to implement a controlled unclassified information (CUI) program approximately in the fall of 2023; and

(2) to discuss the agencys plans to enter into formal CUI information-sharing agreements with non-executive branch entities (e.g., addressees), whenever feasible, before sharing CUI with those entities.

This RIS does not transmit or imply action or written response on the part of an addressee.

Although no specific action or written response is required, awareness of the NRCs plans to implement a CUI program will enable the agency to coordinate with the addressees more efficiently and effectively.

BACKGROUND INFORMATION

CONTROLLED UNCLASSIFIED INFORMATION RULE

On November 4, 2010, the President issued Executive Order 13556, Controlled Unclassified Information, to establish an open and uniform program across the executive branch for managing unclassified information that requires safeguarding or dissemination controls. This information is referred to as CUI. According to the Executive order, agency-specific approaches have created an inefficient and confusing patchwork system, resulting in inconsistent marking requirements and safeguarding of information and unnecessarily restricted information sharing.

ML22132A212 On September 14, 2016 (81 FR 63323), the National Archives and Records Administration (NARA) published in the Federal Register (FR) a final rule adding new Part 2002, Controlled Unclassified Information (CUI), to Title 32 of the Code of Federal Regulations (32 CFR) (CUI

Rule). The CUI Rule went into effect on November 14, 2016, and established requirements for CUI designation, safeguarding, dissemination, marking, decontrolling, destruction, incident management, self-inspection, and oversight across the executive branch.

As discussed in SECY-18-0035, Update on Development of the Controlled Unclassified Information Program, dated March 8, 2018 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML18065B107) the CUI Program at the NRC will replace the agencys existing program for the protection of SUNSI (e.g., proprietary information, personally identifiable information) and will also include Safeguards Information (SGI) and Safeguards InformationModified Handling.

The CUI Rule applies directly to all Federal executive branch agencies (hereafter referred to as executive branch agencies), which includes the NRC. The CUI Rule does not directly impose any requirements on non-executive branch entities, which include the addressees of this RIS.

However, the CUI Rule does require executive branch agencies to enter into formal information-sharing agreements, whenever feasible, when they intend to share CUI with a non-executive branch entity. These information-sharing agreements must, at a minimum, include provisions requiring the non-executive branch entity to handle CUI received from the agency in accordance with the CUI Rule and to report any noncompliance to the agency.1 In addition, if the non-executive branch entitys information systems process or store CUI, the CUI

Rule requires agencies to prescribe National Institute of Standards and Technology (NIST)

Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, when establishing security requirements in written agreements to protect the CUIs confidentiality.2 Under these information-sharing agreements, NIST SP 800-171 would apply to non-executive branch entities that take possession of CUI (i.e.,

download, print) they receive from the executive branch agency on a non-Federal information system.

NRC CONTROLLED UNCLASSIFIED INFORMATION POLICY

On November 12, 2021, the NRCs CUI Policy Statement was published in the Federal Register

(86 FR 62713), which set forth the NRCs expectation regarding the treatment of CUI. On December 3, 2021, the NRC issued Management Directive (MD) 12.6, NRC Controlled Unclassified Information (CUI) Program (ML21223A168), which describes the agencys CUI

program. These key documents laid the foundation for the NRC staff to communicate its CUI

policy.

During the development of the NRCs CUI Policy Statement and MD 12.6, the NRC held several CUI public meetings on July 25, 2019 (ML19193A193), March 5, 2020 (ML20062F082),

March 28, 2022 (ML22095A160), and June 2, 2022 (ML22167A024). During these public meetings, the NRC staff did the following:

  • described the CUI Rule requirements to identify and proactively address any potential challenges,

1 32 CFR 2002.16(a)(6).

2 32 CFR 2002.14(h)(2). * communicated the NRCs estimated timeline to transition from SUNSI to CUI,

  • informed stakeholders of the NRCs plans to establish information-sharing agreements,
  • explained how non-executive branch entities would be expected to meet the standards of NIST SP 800-171 if they intended to take possession of CUI, they receive from the NRC on a non-Federal information system, and
  • discussed potential alternatives under consideration by the NRC to minimize burden on non-executive branch entities that do not intend to take possession of CUI onto their non-Federal information system (e.g., NRC alternatives that permit access to CUI in a view-only mode)

During the transition to the CUI program, all elements of the NRCs existing SUNSI program will remain in place. After the NRC transitions to CUI, sensitive information that addressees receive from the NRC will be marked with different markings than the NRC has previously used.

Specifically, the Official Use Only markings associated with the NRCs SUNSI program requirements, which were established by NRC internal policy rather than by law, regulation, or government-wide policy, will be discontinued. Instead, the NRC staff will apply the appropriate CUI category markings in the header of documents that contain CUI (e.g., General Proprietary Business Information, Nuclear Security-Related Information). The category markings that all executive branch agencies are required to use for the CUI categories are available on the NARA CUI Registry (https://www.archives.gov/cui/registry/category-list). In the event that other (i.e., non-CUI) markings are also required by law, regulation, or government-wide policy for particular types of information, such information, when shared by the NRC with addressees, would generally feature both (1) the required non-CUI markings and (2) any applicable CUI

markings.

Another notable change to addressees is that the NRC, upon implementing the CUI program, will be required by the CUI Rule to enter into formal CUI information-sharing agreements with non-executive branch entities before sharing CUI with such entities. Of particular significance, if a non-executive branch entity will be storing or processing any of the CUI on a non-Federal information system, the CUI information-sharing agreement between the NRC and the entity must require the entity to comply with NIST SP 800-171 with respect to any such system, consistent with the CUI Rule requirements described above.

Additional discussion regarding the NRCs plans to establish formal CUI information-sharing agreements is provided below.

SUMMARY OF ISSUE

Under 32 CFR 2002.16(a)(5)(i), agencies must enter into formal CUI information-sharing agreements, whenever feasible, when they intend to share CUI in any form (hard copy or electronic) with non-executive branch entities. NRC CUI information-sharing agreements will set forth safeguarding, access, and dissemination controls for CUI that the NRC shares with addressees. These agreements will not govern information that addressees generate themselves (e.g., NRC information-sharing agreements will not impose CUI requirements on an addressees handling of its own proprietary information, even if the NRC incorporates that information into an NRC document and transmits that document to the addressee). To facilitate discussion with NRC stakeholders on this topic during the NRC CUI public meetings on March 28, 2022, and June 2, 2022 (ML22081A315 and ML22145A552, respectively), the staff shared a draft CUI information-sharing agreement. Before the NRC can begin using the agreement, the NRC must obtain clearance from the Office of Management and Budget (OMB)

regarding the aspects of the agreement that involve information collection covered by the Paperwork Reduction Act. As part of this process, notices will be published in the Federal Register requesting public comment on the information collection.

The NRC is targeting the summer of 2023 to begin establishing formal CUI information-sharing agreements with addressees. Once formal agreements are established, and the NRC

transitions to CUI, the NRC will disseminate CUI in hard copy or electronic format to non- executive branch entities based upon the terms of their agreements with the NRC. Although signing an information-sharing agreement with the NRC will be voluntary, doing so will facilitate the continued sharing of CUI with the addressee.

To meet 32 CFR 2002.14(h)(2), the NRC intends to prescribe NIST SP 800-171 in CUI

information-sharing agreements with non-executive branch entities that need to take possession of CUI they receive electronically from the NRC on their non-Federal information systems. Any signees that meet NIST SP 800-171 would be able to download or print CUI they receive from the NRC onto their non-Federal information system.

For non-executive branch entities that do not meet NIST SP 800-171, the NRC intends to share CUI in a view-only mode. This view only mode permits signees to securely view CUI

electronically without having to take possession of CUI onto their non-Federal information system, and it is also intended to deter signees from inadvertently introducing CUI to non-Federal information systems that do not meet NIST SP 800-171. However, if there is an existing requirement for a non-executive branch entity to take possession of certain CUI

received electronically from the NRC, or an existing requirement governing a certain category of CUI while on a non-executive branch entitys information system that differs from NIST SP 800-

171, the NRC will continue to provide CUI in a manner consistent with those requirements. As an example, after the NRC transitions to CUI, the NRC will continue to provide licensees with Criminal History Records Information received from the Federal Bureau of Investigation in either a hardcopy or electronic format (not view only), so that licensees can maintain those records in accordance with NRC requirements in 10 CFR Part 37.31, Protection of Information, or 10 CFR Part 73.57, Protection of Information, as applicable. For additional information on the transmittal of Criminal History Records information, refer to the frequently asked questions on the NRCs CUI public website (https://www.nrc.gov/reading-rm/cui.html).

In addition, while this view only mode may impact how the NRC staff collaborates with specific groups of NRC stakeholders on draft documents that contain CUI, the NRC staff will endeavor to keep these impacts to a minimum. The staff will continue to coordinate with these NRC

stakeholders, where feasible, to explore solutions that support collaboration on draft documents that contain CUI without the signee having to take possession of CUI onto their non-Federal information system. Signees may also request that the NRC provide hard-copy versions of CUI

documents in lieu of electronic access limited to view only. CUI shared with signees in view only or hard-copy format would be subject to the terms of the CUI information-sharing agreement. Once the NRCs CUI information-sharing agreement is finalized and made available to non-executive branch entities to voluntarily sign, the NRC staff plans to internally track each signees response and preference for receiving CUI. This information will be tracked to support the various information-sharing needs of the NRC staff.

When the agencys mission requires it to disseminate CUI to non-executive branch entities that have not entered into a formal CUI information-sharing agreement with the NRC,

32 CFR 2002.16(a)(5)(ii), Sharing CUI without a formal agreement, requires agencies to communicate to the recipient:

(1) that the Government strongly encourages the non-executive branch entity to protect CUI

in accordance with Executive Order 13556 and the CUI Registry

(2) that such protections should accompany the CUI if disseminated further to a third party.

Because the NRC would not normally expect an entity without a signed agreement to have information systems in place that already comply with NIST SP 800-171, the NRC would generally share CUI with such an entity only in view only mode or in hard copy format. There may, however, be emergent situations where the NRC would electronically share CUI in a mode other than view only with an entity that lacks a signed agreement. For example, the NRC may have reason to believe that the entity is capable of protecting the information on its own systems in a manner consistent with NIST SP 800-171, notwithstanding the absence of an agreement.

Alternatively, electronic sharing in a mode other than view only may be identified as necessary to accomplish the NRCs mission or to support compliance with legal or regulatory requirements or government-wide policies.

Additional NRC public meetings are anticipated to ensure open communications with addressees on any progress made towards finalizing CUI information-sharing agreements, including scheduling. The NRCs CUI public website (https://www.nrc.gov/reading-rm/cui.html)

provides additional information regarding the NRCs plans to transition to CUI. The NRCs CUI

public website also includes a living document of frequently asked questions and responses for NRC stakeholders seeking further information about CUI.

BACKFITTING AND ISSUE FINALITY DISCUSSION

This RIS informs NRC stakeholders of its intent to implement mandatory requirements imposed on all Federal executive branch agencies in accordance with NARAs CUI Rule. As a Federal agency in the executive branch, the NRC is required to establish formal CUI information-sharing agreements with non-executive branch entities, where feasible, when sharing CUI. This RIS

also informs addressees of plans to establish formal CUI information-sharing agreements with NRC stakeholders to support the NRCs transition to CUI. This RIS does not constitute an information collection and is not within the purview of the Backfit Rule, in accordance with

10 CFR 50.109, Backfitting, 10 CFR 70.76, Backfitting, 10 CFR 72.62, Backfitting, or any of the issue finality provisions in 10 CFR Part 52. In addition, this RIS does not require any action or written response from the addressees. Any action on the part of addressees to sign the NRCs CUI information-agreement, once finalized, is strictly voluntary. For these reasons, the NRC did not perform a backfit analysis for this RIS or further address any issue finality criteria in

10 CFR Part 52.

FEDERAL REGISTER NOTIFICATION

The NRC did not publish in the Federal Register a notice of opportunity for public comment on this RIS because it is informational and pertains to an administrative aspect of the regulatory process. In addition, the regulation (i.e., NARAs CUI Rule) that mandates the actions the NRC

anticipates taking as described in this RIS was open to public comment during its promulgation.

Additionally, the information-sharing agreement the NRC is developing will be published for public comment as part of the Paperwork Reduction Act clearance process.

CONGRESSIONAL REVIEW ACT

This RIS is not a rule as defined in the Congressional Review Act (5 U.S.C. §§ 801-808).

PAPERWORK REDUCTION ACT STATEMENT

This RIS does not contain a collection of information as defined in the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) and, therefore, is not subject to the requirements of the Paperwork Reduction Act of 1995. As discussed above, the information collection associated with the formal CUI information-sharing agreement has not yet been approved by OMB.

Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, an information collection unless the requesting document displays a currently valid OMB control number.

CONTACT

Please direct any questions about this matter to the technical contact or the lead project manager listed below.

Technical Contact:

Tanya Mensah, Lead Project Manager: Brian Benney, Office of the Chief Information Officer Office of Nuclear Reactor Regulation

301-415-3610 301-415-2767 Email: Tanya.Mensah@nrc.gov Email: Brian.Benney@nrc.gov /RA/ /RA/

Scott C. Flanders, Deputy Michael F. King, Deputy Director Chief Information Officer for Reactor Programs Office of the Chief Information Officer Office of Nuclear Reactor Regulation

/RA/ /RA/

Robert J. Lewis, Deputy Director Craig G. Erlanger, Deputy Director Office of Nuclear Material Safety and Office of Nuclear Security and Incident Safeguards Response

/RA/

Christopher G. Miller, Director Division of Reactor Oversight Office of Nuclear Reactor Regulation Note: NRC generic communications may be found on the NRC public website, http://www.nrc.gov, under NRC Library/Document Collections.

ML22132A212 EPIDS No.: L-2022-GEN-0005 OFFICE OCIO/GEMS QTE OCIO/GEMS/DD(A) OCIO/DCIO

NAME TMensah KAzariah-Kribbs JFeibus SFlanders DATE 5/17/2022 5/20/2022 8/08/2022 8/23/2022 OFFICE OCIO/CIO NRR/DORL/D NSIR/DD NMSS/DD

NAME DNelson BPham CErlanger RLewis DATE 8/23/2022 8/10 /2022 8/24/2022 8/9/2022 OFFICE NRR/DD OGC (NLO) OE/EB/BC NRR/DRO/IOEB/PM

NAME MKing EMichel JPeralta BBenney DATE / /2022 8/18/2022 9/09/2022 9/26/2022 OFFICE NRR/DRO/LA NRR/DRO/IOEB/BC OCIO/GEMSD/FLIC

NAME IBetts LRegner DCullison DATE 12/8/22 9/28/2022 10/04/2022 OFFICE NRR/DRO/D

NAME CMiller DATE 12/8/2022