STC-22-075, Notification of Issuance of RIS 2022-03, NRC Plans to Establish Controlled Unclassified Information-Sharing Agreements with Non-Executive Branch Entities
| ML22346A214 | |
| Person / Time | |
|---|---|
| Issue date: | 12/16/2022 |
| From: | Bethany Cecere NRC/NMSS/DMSST/ASPB |
| To: | State of CT, State of IN, State, Agreement States |
| Shared Package | |
| ML22347A219 | List: |
| References | |
| STC-22-075, RIS 2022-03 | |
| Download: ML22346A214 (4) | |
Text
ALL AGREEMENT STATES, CONNECTICUT, INDIANA NOTIFICATION OF ISSUANCE OF REGULATORY ISSUE
SUMMARY
2022-03, NRC PLANS TO ESTABLISH CONTROLLED UNCLASSIFIED INFORMATION-SHARING AGREEMENTS WITH NON-EXECUTIVE BRANCH ENTITIES (STC-22-075)
Purpose:
To inform the recipients that Regulatory Issue Summary (RIS) 2022-03, NRC Plans to Establish Controlled Unclassified Information-Sharing Agreements with Non-Executive Branch Entities has been issued on December 08, 2022.
Background:
Controlled Unclassified Information (CUI) is a new information security program established pursuant to Executive Order 13556, Controlled Unclassified Information. The National Archives and Records Administration issued government-wide implementing regulations for Federal executive branch agencies, such as the U.S. Nuclear Regulatory Commission (NRC), to implement the CUI program (32 CFR Part 2002). The CUI program intends to standardize the way the Federal executive branch handles unclassified information.
It introduces a new framework for the entire Federal executive branch to designate, mark, safeguard, and disseminate unclassified information. The NRC currently expects to transition to a CUI program on November 1, 2023, which will replace its Sensitive Unclassified Non-Safeguards Information (SUNSI) program. Following the NRCs transition, licensees, Agreement State regulators, and other NRC external stakeholders would begin to receive NRC documents with CUI banner markings, instead of Official Use Only markings.
Discussion: Enclosed in this letter is the RIS that explains in more detail that the CUI Rule applies directly to all Federal executive branch entities, such as the NRC and does not directly impose requirements on non-executive branch entities. However, the CUI Rule does require Federal executive branch agencies to enter into formal CUI information-sharing agreements with non-executive branch entities such as licensees, Agreement State regulators, and other NRC external stakeholders, whenever feasible, before sharing CUI with those entities. This agreement is to include provisions on how entities are to handle CUI received from an agency, such as the NRC, in accordance with the CUI Rule.
In addition, if a non-executive branch entitys information system process (i.e., download, print, or forward) or store CUI, the CUI Rule requires agencies to use National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, when establishing security requirements in information-sharing agreements to protect CUIs confidentiality. Due to the close partnership NRC has with Agreement State regulatory agencies and the routine sharing of and collaboration on various information, the NRC will be providing all the Agreement State regulatory agencies the CUI information-sharing agreements to affirm the format (hard copy or electronic (either full access or view only)) in which CUI can be shared. Although signing of these agreements with the NRC will be voluntary, doing so will better facilitate the continued sharing of CUI with entities based upon the terms of the agreements.
December 16, 2022
As previously communicated in previous monthly National Materials Program (NMP) teleconference calls and past CUI public meetings, non-executive branch entities, such as Agreement State regulators, will be able to self-certify their compliance to NIST SP 800-171 if they intend to electronically process or store CUI; however, to do this, entities will need to determine the adequacy of their information systems. This review may involve developing a system security plan and plan of action and milestones for mitigating vulnerabilities and identified gaps in meeting NIST SP 800-171 requirements. Additional information regarding the NIST SP 800-171 requirements is available under Frequently Asked Questions, on the NRCs CUI public website: https://www.nrc.gov/reading-rm/cui/faq.html#800-171.
Other Federal executive branch entities that have already transitioned to CUI may have already established their own CUI information-sharing agreements with non-executive branch entities, such as with Agreement State programs, in which review of information systems may have already been conducted and compliance to NIST SP 800-171 may have been confirmed through these other agencies agreements. The previous review and confirmation may be considered when responding to and establishing the specific CUI information-sharing agreement with the NRC.
The NRC staff anticipates issuing these formal CUI information-sharing agreements with non-executive branch entities in the summer of 2023, prior to the CUI transition. Also, the NRC staff is in the process of planning additional NRC CUI public meetings for 2023 to keep all stakeholders informed of the NRCs progress to transition to CUI on November 1, 2023, and to further discuss the status of the CUI information-sharing agreement and other CUI-related topics. The NRC staff will continue to keep Agreement State regulators informed on the status of CUI transition activities and challenges/issues necessitating input from or updates to the Agreement State regulators via various communication avenues such as the monthly NMP teleconference calls, State and Tribal Communications letters, etc. Additional information is also available on the NRC's CUI public website (https://www.nrc.gov/reading-rm/cui.html).
If you have any questions regarding this correspondence, please contact the individuals named below.
POINT OF CONTACT: Kim Lukes E-MAIL: Kim.Lukes@nrc.gov TELEPHONE: (301) 415-6701 POINT OF CONTACT: Matt Barrett E-MAIL: Matt.Barrett@nrc.gov TELEPHONE: (301) 415-3931
For detailed questions regarding NRCs CUI program, please contact the individual named below.
POINT OF CONTACT: Tanya Mensah E-MAIL: Tanya.Mensah@nrc.gov TELEPHONE: (301) 415-3610 Bethany Cecere, Acting Chief State Agreement and Liaison Programs Branch Division of Materials Safety, Security, State, and Tribal Programs Office of Nuclear Material Safety and Safeguards
Enclosure:
As stated Signed by Cecere, Bethany on 12/16/22
SUBJECT:
NOTIFICATION OF ISSUANCE OF REGULATORY ISSUE
SUMMARY
2022-03, NRC PLANS TO ESTABLISH CONTROLLED UNCLASSIFIED INFORMATION-SHARING AGREEMENTS WITH NON-EXECUTIVE BRANCH ENTITIES (STC 075) DATED: DECEMBER 16, 2022 DISTRIBUTION:
PUBLIC ADAMS Accession Number: ML223472A219 (Pkg) ML22346A214 (Ltr)
OFFICE NMSS/MSST/SMPB NMSS/MSST/SMPB NMSS/MSST/SALB NAME KLukes TMossman BCecere DATE 12/13/22 12/13/22 12/16/22