SECY-18-0035, SECY-18-0097: Proposed Controlled Unclassified Information Policy Statement

From kanterella
(Redirected from SECY-18-0035)
Jump to navigation Jump to search
SECY-18-0097: Proposed Controlled Unclassified Information Policy Statement
ML18232A212
Person / Time
Issue date: 10/01/2018
From: Margaret Doane
NRC/EDO
To: Commissioners
NRC/OCM
Tanya Mensah
Shared Package
ML18232A211 List:
References
200900185, SECY-18-0035, SECY-18-0097
Download: ML18232A212 (9)
v  d  e


Text

POLICY ISSUE (Notation Vote)

October 1, 2018 SECY-18-0097 FOR: The Commissioners FROM: Margaret M. Doane Executive Director for Operations

SUBJECT:

PROPOSED CONTROLLED UNCLASSIFIED INFORMATION POLICY STATEMENT PURPOSE:

The purpose of this paper is to seek Commission review of the proposed policy statement that the U.S. Nuclear Regulatory Commission (NRC) will, if approved, implement one portion of Title 32 of the Code of Federal Regulations (32 CFR) Part 2002, "Controlled Unclassified Information (CUI)" (CUI Rule). This paper also presents two options regarding the appropriate timeframe to publish the CUI policy statement in the Federal Register. The staff considered these options to align the issuance of the high-level, CUI policy statement with the publication of agency-specific, CUI guidance for NRC staff and contractors. In summary, the first option is to seek public comment in the Federal Register on a high-level, proposed CUI policy statement. The second option is to publish the final, approved policy statement in the Federal Register, without seeking public comment, concurrent with the issuance of a CUI management directive for NRC staff and contractors.

SUMMARY

On September 14, 2016, the National Archives and Records Administration (NARA) published 32 CFR Part 2002 in the Federal Register (81 FR 63323). In SECY-18-0035, "Update on Development of the Controlled Unclassified Information Program," dated March 8, 2018, the Commission was informed of the staff's approach to implementing 32 CFR Part 2002. As described in SECY-18-0035, the staff's initial step was to submit a high-Level, proposed CUI CONTACT: Tanya M. Mensah; OCIO/GEMS 301-415-3610

The Commissioners 2 policy statement for Commission review by September 2018. In this paper, the staff transmits and provides the basis for the proposed CUI policy statement and describes two options to publish the proposed CUI policy statement in the Federal Register. Based upon its consideration of the options, the staff recommends that the Commission approve the second option to publish the final, approved CUI policy statement in the Federal Register, concurrent with the publication of Management Directive (MD) 12.6, "NRC Controlled Unclassified Information Program" (currently titled , "NRC Sensitive Unclassified Information Security Program"). MD 12.6 is currently expected to be published in September 2019.

BACKGROUND:

In November 2010 the President issued Executive Order (EO) 13556, "Controlled Unclassified Information (CUI), " to "establish an open and uniform program for managing information that requires safeguarding or dissemination controls." On September 14, 2016, NARA published 32 CFR Part 2002 in the Federal Register (81 FR 63323). The CUI Rule went into effect on November 14, 2016, and established requirements for CUI designation, safeguarding, dissemination, marking, decontrolling, destruction, incident management, self-inspection, and oversight across the executive branch.

The CUI Rule applies directly to Federal Executive Branch agencies, including the NRC. NARA requires an implementation process for agency compliance with the CUI Rule that includes developing and issuing an agency CUI policy, creating agency CUI training , implementing and verifying that all physical safeguarding requirements .are in place to protect CUI , providing CUI training to all agency employees, assessing and transitioning the current configuration of information systems to the CUI Rule standard, and developing and implementing internal oversight efforts to measure and monitor the CUI Program.

In SECY-18-0035, staff informed the Commission of their approach to implementing 32 CFR Part 2002. In that paper, the Commission was informed of the staff's plans to coordinate with other Federal agencies on CUI best practices; to provide a high-level, proposed CUI policy statement to the Commission by September 2018; and to revise MD 12.6, "NRC Sensitive Unclassified Information Security Program ," dated December 20, 1999, to provide an effective process and guidance to implement the CUI Rule.

While the agency transitions to the CUI Program, all elements and controls of the Sensitive Unclassified Non-Safeguards Information (SUNSI) program will remain in place. Until directed in accordance with the NRC's CUI policy, guidance, and training, NRC employees and contractors will not use CUI markings or follow other requirements specific to CUI. If NRC employees or contractors receive CUI before the implementation of the CUI Program at the agency, they will follow current NRC guidance to protect sensitive information.

  • DISCUSSION:

32 CFR 2002.8(c)(4) states that the CUI Senior Agency Official is responsible for ensuring that the agency has CUI implementing policies and plans, as needed. The NRC staff reviewed NARA guidance, including NARA's CUI policy template, to determine the appropriate scope and level of detail needed to comply with the CUI Rule. The CUI policy template prepared by NARA to facilitate each agency's development of a CUI policy is similar in format to an NRC management directive. Therefore , the NRC staff are revising MD 12.6 to provide detailed implementing guidance to NRC staff and contractors to implement the CUI Rule .

The Commissioners 3 As part of the revision to MD 12.6 the NRC staff determined that a high-level Commission policy statement is a necessary component of the NRC's issuance of a CUI policy. The NRC staff considered whether the policy statement should be developed and incorporated into the revision of MD 12.6 and change MD 12.6 to a Chairman approved management directive similar to the Fee Rule MD, where the language from the statute is the policy within the MD. However, NRC management directives are more inward-facing documents meant to guide the NRC staff, whereas a Commission policy statement would more appropriately serve to inform external stakeholders on the NRC's CUI implementation. Therefore, the issuance of the CUI policy statement, in addition to updating MD 12.6, is consistent with current agency practice and ensures that the Commission establishes agency policy for the staff to implement.

NARA has been designated as the CUI Executive Agent (EA) to implement EO 13556 and to oversee agency efforts to comply with the CUI Rule. As such, NARA reports to the President on agency efforts to implement the Order and the CUI Rule by publishing an annual report on the status of agency implementation. Based upon NARA's 2017 Report to the President 1 , the NRC's implementation of CUI is comparable to and consistent with the approach taken by other Federal agencies, to either issue or make continued progress toward issuing an agency CUI policy. During our routine interactions with NARA, the staff has kept NARA informed of our approach and timeline to issue a CUI policy by the end of fiscal year (FY) 2019 and to complete CUI training by the end of FY 2020. The NRC staff believes that issuing a Commission policy statement in addition to revising MD 12.6, will ensure that the NRC's CUI policy is consistent with the current NARA guidelines and recommendations provided to all Federal agencies.

Communication with Internal NRG Stakeholders The staff established an interoffice CUI working group and steering committee to facilitate the implementation of a CUI Program at the agency. To enhance awareness of the NRC's plans to transition from SUNSI to CUI , a number of activities have already occurred at the agency. For example, a short module introducing CUI is now available as part of the agencywide annual cyber security awareness training through ileam. Also, the staff has held CUI informational presentations tailored to specific NRC offices and provided short articles in office newsletters to highlight the staffs plans to transition to CUI. Finally, the staff created an internal CUI Program Web site (http://drupal.nrc.gov/cui) to provide the current status of the NRC's CUI Program implementation.

Coordination with Federal Agencies In SECY-18-0035, the staff states that "Consistency with Federal partners will be particularly important in areas in which CUI information is shared." To ensure the NRC's consistency in implementing the CUI Rule, the staff routinely interacts with NARA through monthly advisory council and working group meetings to identify best practices from other agencies. As a result of NARA's informal data call to Federal agencies in August 2018, the staff is aware that some Federal agencies have either recently issued, or are making significant progress towards issuing a CUI implementing policy soon. In addition, the staff has communicated with other 1

The 2017 Report to the President can be downloaded from https://www.archives.gov/files/isoo/reports/2017 -annual-report. pdf

The Commissioners 4 Federal agencies that have a regulatory role similar to the NRC's role. This ongoing coordination has been meaningful in determining whether any best practices exist that the NRC can apply to the agency's plans to implement CUI.

Outreach with External NRG Stakeholders As part of its efforts to engage stakeholders, including Agreement States, the staff provided an overview of the CUI Rule in March 2018 during the Organization of Agreement States teleconference. In addition, the staff discussed the CUI Rule during the Conference of Radiation Control Program Directors (CRCPD) annual meeting in May 2018. At both meetings, the participants appreciated the opportunity to discuss CUI implementation with the NRC.

During the CRCPD meeting, the staff received general questions on how the NRC planned to implement the requirement to establish written agreements when sharing CUI with non-Executive Branch entities. The meeting participants generally agreed that the development of specific information-sharing agreements would be tedious and burdensome because each State operates differently. Therefore, the participants recommended that the NRC consider the use of memoranda of understanding and nondisclosure agreements as a more efficient means to establish written agreements with the Agreement States.

The staff also discussed the CUI Rule during recent Regulatory Issues Task Force public meetings and during public teleconferences with the Nuclear Energy Institute (NEI) and other industry stakeholders on July 18, 2018, and August 7, 2018. During these interactions, industry stakeholders shared their concerns with regard to the NRC's transition to CUI and the potential effect that may have on operating reactor licensees. In particular, industry stakeholders had questions regarding any changes to how they handled internal licensee documents which have neither been shared with nor received from the NRC, but relate to information the NRC has designated as CUI in a different document. During the public teleconferences with NEI , industry stakeholders acknowledged that the staffs clarification (provided in SECY-18-0035) that CUI extends only to information the government creates or possesses, or that an entity creates or possesses on behalf of the government, was helpful. The NEI encouraged the NRC to continue dialogue with industry representatives while the NRC develops its policy and guidance to implement CUI .

To ensure an effective transition from SUNSI to CUI, the CUI working group's communication strategy will continue to identify opportunities to engage NRC staff, contractors, and external stakeholders, including the Agreement States, licensees, vendors, applicants, and the public.

Development of the Proposed CUI Statement of Policy On November 4, 2010, the President issued EO 13556 to establish a standardized system for the treatment of sensitive unclassified information. The system will result in uniform standards through the executive branch for marking, safeguarding, and controlling the dissemination of CUI. The EO designates NARA as the EA for the CUI Program to oversee agency actions to ensure compliance with the EO, the CUI Rule, and the CUI Registry. The CUI registry is an online repository located on the NARA webpage 2 . It identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, established markings, and includes guidance on handling procedures. The categories and subcategories within NARA's CUI Registry serve as exclusive designations for identifying CUI for all Federal executive agencies, as well as the NRC.

2 NARA website: https://www.archives.gov/cui.

The Commissioners 5 NARA's Information Security Oversight Office issued 32 CFR 2002 to establish the policy and requirements for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the CUI Program. In consultation with the Office of Management and Budget, NARA submits periodic reports to the President on the status of agencies' CUI implementation.

The following describes the information that was considered by the staff to support the development of the proposed CUI statement of policy. The proposed CUI policy statement:

1. Describes the issuance of EO 13556, 32 CFR 2002, and NARA's role to establish policy and requirements for agencies for the CUI Program.
2. Describes that the implementation of agencies' CUI Programs is based on guidelines established by NARA for agency compliance with the CUI Rule. This includes developing and issuing an agency CUI policy, creating agency CUI training, implementing and verifying that all physical safeguarding requirements are in place to protect CUI, providing CUI training to all agency employees, assessing and transitioning th~ current configuration of information systems to the CUI Rule standard, and developing and implementing internal oversight efforts to measure and monitor the CUI Program.
3. States that the NRC will replace the SUNSI program with the CUI program, which will also include within its scope Safeguards Information (SGI) and Safeguards Information-Modified Handling . Even though SGI is a form of CUI under the CUI Rule, any specific controls found in 10 CFR Part 73, "Physical Protection of Plants and Materials," continue to apply to SGI and will continue to do so until and unless modifications are made through the NRC's rulemaking process to 10 CFR Part 73.
4. Clarifies that the CUI Program is separate from the Classified National Security Information Program.
5. Conveys that the CUI Program does not change NRC policy and practices in responding to a Freedom of Information Act (FOIA) request. Marking and designating information as CUI does not preclude information from release under the FOIA or preclude it from
  • otherwise being considered for public release. The staff will still review the information and apply FOIA exemptions appropriately.
6. Informs stakeholders that Management Directive 12.6, "NRC Controlled Unclassified Information Program," when published, will provide detailed guidance to NRC staff and contractors for the handling, marking, protecting, sharing, destroying, and decontrolling of CUI in accordance with 32 CFR Part 2002.
7. States that CUI does not include information a non-Executive Branch entity (e.g.,

contractors, licensees, Agreement States, intervenors) possesses and maintains in its own systems that did not come from , or was not created or possessed by or for, an Executive Branch agency or an entity acting for such an agency.

8. Recognizes that the CUI Rule could alter how information is shared between the agency and external parties, including licensees, applicants, Agreement and non-Agreement States, and others. The staff is committed to reducing unintended consequences that

The Commissioners 6 unnecessarily increase the burden on external stakeholders while also maintaining adequate protective measures for CUI.

9. States that all elements and controls of the SUNSI program will remain in place while the agency transitions to the CUI Program, until directed in accordance with the NRC's CUI policy, guidance, and training .

COMMITMENTS:

The Office of the Chief Information Officer (OCIO) will continue to work with the program offices to support roll-out, communications, and training efforts, as appropriate. OCIO will continue to participate in interagency dialogues and working groups to ensure knowledge of, and promote the use of, best practices and government wide standards and colla_ boration.

The staff will continue to seek ways to engage a broad range of stakeholders, including the Agreement States, non-Agreement states, licensees, vendors, applicants, and other stakeholders, to ensure an effective transition from SUNSI to CUI.

OPTIONS:

The staff evaluated two options as follows:

Option 1: Publish the high-level, proposed CUI policy statement for public notice and comment in the Federal Register.

Pros:

  • In SECY-18-0035, the staff committed to provide the Commission with a high-level, proposed policy statement by September 2018. Meeting this milestone demonstrates to the NRC's internal and external stakeholders that the staff is committed to implementing CUI in accordance with NARA's guidance.
  • Publishing a high-level, proposed policy statement for public notice and comment aligns with the staff's commitment to engage a broad range of stakeholders during the transition from SUNSI to CUI . It also signifies to NARA, and other stakeholders, that the NRC is beginning the transition from SUNSI to CUI.
  • The proposed policy statement contains a high-level commitment regarding the agency's intent to avoid unintended and unnecessary burdens on external parties, which could give prospective commenters something on which to comment, even if the policy statement does not go into detail regarding specific implementation issues that could affect external parties.

Cons:

  • Seeking public comment on the proposed CUI policy statement may provide limited benefit, due to the proposed policy statement's high-level nature. The proposed CUI policy statement expresses the NRC's intent to implement the CUI Program in accord with the CUI Rule, and it expresses a general commitment to avoid unintended and unnecessary burdens on external parties, while still ensuring adequate protective measures for CUI. Beyond that, however, the proposed policy does not describe

The Commissioners 7 specific new requirements or agency positions relevant to non-Executive branch entities.

The CUI Rule has been publicly available since September 14, 2016, and in effect since November 14, 2016, and its applicability to the NRC has not been in question. The policy statement would therefore provide interested stakeholders with relatively little material on which to comment.

  • The NRC staff will not have any direction from the Commission about whether to pursue a rule.

Option 2: Approve the high-level, CUI policy statement and its publication in the Federal Register, concurrent with the issuance of MD 12.6.

Pros:

  • The proposed CUI policy statement confirms the NRC's commitment to protecting CUI in accordance with the CUI Rule.
  • Internal and external stakeholders are interested in understanding the specific details of how the NRC plans to implement CUI. During the development of MD 12.6, the staff plans to engage external stakeholders to discuss the NRC's plans to implement CUI and to obtain stakeholder feedback regarding any impacts. Issuing the policy statement as a final policy statement, concurrent with an updated MD 12.6, supports a more effective transition from SUNSI to CUI throughout the NRC and for all external stakeholders.

Cons:

  • MD 12.6 is under revision by the staff to incorporate guidance to implement CUI. It is currently estimated to be published in September 2019. Any significant impacts to publish MD 12.6 in September 2019 could delay the publishing of a proposed CUI policy statement in the Federal Register.
  • The proposed CUI policy statement contains an agency commitment, albeit at a very high-level of generality, to avoid unintended and unnecessary burdens on external parties while also maintaining adequate protective measures for CUI. Adopting the policy statement without first soliciting public comment would mean the Commission is adopting this commitment, which is directed towards the NRC's relations with external parties, without formally soliciting input from such parties.

RECOMMENDATION :

The staff recommends Option 2. This option recognizes that the CUI policy statement reiterates the requirements of the CUI Rule and that minimal benefit is afforded to the public from its review since the CUI Rule has already been published. Coordinating the issuance of the final CUI policy statement to coincide with the issuance of the staffs implementing guidance will better ensure continuity and stakeholder understanding of the NRC's transition to CUI than if the NRC were to issue CUI transition documents in a piecemeal fashion . The NRC staff believes that issuance of a draft high-level CUI policy statement, without NRG-specific implementing guidance, would not significantly advance the NRC's CUI transition , either in the eyes of external stakeholders or NARA Although under Option 2 the public will not see a high-level

The Commissioners 8 Commission policy statement in any form until September 2019, the staff will continue its outreach to external stakeholders to inform them of plans for implementation of the CUI program and continue to elicit their views on the impact of the program on external stakeholders during this timeframe.

RESOURCE:

The FY 2018 Enacted Budget includes $924,000 and three full-time equivalent staff (FTE) in the Reactor Safety, Materials and Waste Safety, and Corporate Support program areas to support the transition to CUI and oversee the agencywide SUNSI, SGI, and CUI information security programs. The FY 2019 President's Budget includes $576,000 and four FTE in the same program areas. However, since the development of the FY 2018 and FY 2019 budgets, NARA has provided additional CUI implementation information that the staff used to inform its implementation plan and this information delayed some planned obligations of FY 2018 contract funding. As a result, additional resources beyond those budgeted in FY 2018 and FY 2019 will be needed to effectively implement the new CUI Program. The staff will address these additional needs via a reallocation of funds in FY 2019 or the Returns and Shortfalls process. FY 2020 and beyond will be addressed through the Planning, Budgeting, and Performance Management process ."

COORDINATION:

The Office of the General Counsel reviewed this package and has no legal objection. The Office of the Chief Financial Officer reviewed this package and determined that it has no financial impact.

?!.Yi:!:! fk~

Executive Director for Operations

Enclosures:

1. Federal Register notice Announcing Proposed Policy Statement for Public Comment
2. Federal Register notice Announcing Final, Approved Policy Statement for Issuance

The Commissioners 9

SUBJECT:

PROPOSED CONTROLLED UNCLASSIFIED INFORMATION POLICY STATEMENT DATED _ _ _ _ __

SECY-18-0035; 200900185 ADAMS A ccess1on No.: p ac kage: ML18232A211 *via

. ema1*1 OFFICE OCIO/GEMS: PM QTE* OCIO/GEMS: DD* OCIO/GEMS: D NAME TMensah JDougherty JFeibus JMoses DATE 08/22/18 08/23/18 08/30/18 09/ /18 OFFICE NRO: DD* NRR: D/DSS* NSIR: DD* NMSS: DD*

NAME VOrdaz MGavrilas Jlubinski SMoore (w/comments) (w/ comments)

DATE 08/31/18 08/31/18 08/30/18 09/05/18 OFFICE RES: D* ADM:DD* OE: DD* OCHCO: DD*

NAME RFurstenau Mlombard FPeduzzi JGolder DATE 08/24/18 08/31/18 08/31/18 08/30/18 OFFICE 01: DD* OIP: DD* R-IV: DRA* OCFO: DCFO*

NAME SJefferson DSkeen S. Morris BFicks (w/comments) (w/comments)

DATE 08/27/18 08/29/18 08/31/18 08/30/18 OFFICE OGG* OCIO: DCIO* OCIO: CIO* EDO / )

NAME JAdler SFlanders DNelson MDoane_~

(w/comments)

DATE 09/13/18 09/20/18 09/20/18 ~W I

" l 118 OFFICIAL RECORD COPY \ '

Retrieved from "https://kanterella.com/w/index.php?title=SECY-18-0035,_SECY-18-0097:_Proposed_Controlled_Unclassified_Information_Policy_Statement&oldid=2399659"