Text

From: McAndrew, Sara Sent: Monday, June 06, 2016 1:28 PM To: Gagnon, Ronald

Subject:

RE: Draft SUNS! responses Follow Up Flag: Follow up Flag Status: Flagged Ron, -------------------------,

Thank you for your quick tum around.  !

~b)(5)

Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 From: Gagnon, Ronald Sent: Monday, June 06, 2016 12:31 PM To: McAno'rew, Sara <Sara.McAndrew@nrc.gov>

Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick

<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>;

Rheaume , Cynthia <Cynthia.Rheaume@nrc.gov>

Subject:

RE: Draft SUNSI responses Sara, Thank you for the quick response . .. _) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ___.I*

l(b_) 5 Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Monday, June 06, 2016 11 :50 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>

Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michaet.Weber@nrc.gov>: Brown, Frederick

<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>

Subject:

RE : Draft SUNSI responses

Thanks for your help, Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 From: Gagnon , Ronald Sent: Monday, June 06, 2016 11 :10 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>

Cc: Janney, Margie <Margie.Janney@nrc.gov>

Subject:

RE: SUNSI responses Good morning Sara, Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Gagnon, Ronald Sent: Tuesday, May 31 , 2016 7:29AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>

Subject:

RE: SUNSI responses Good morning Sara, Let me know if you have a few minutes to meet when you get in today.

Thank you, Ron 2

Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MO 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Wednesday, May 25, 2016 4:25 PM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>

Subject:

SUNS! responses

~

Sara

!Thank you.

Sara McAndrew Senior Attorney 301 -287-0976 OWFN15A66 3

From: Correia, Richard Sent: Thursday, June 09, 2016 12:44 PM To: Gagnon, Ronald Cc: McAndrew, Sara; Janney, Margie; Le, Hong; Rheaume, Cynthia

Subject:

RE: Draft SUNS! responses Follow Up Flag: Follow up Flag Status: Flagged Many thanks Ron. Appreciate your great support.

Best Rich Richard P. Correia, P.E.

Director, Division of Risk Analysis Office of Nuclear Regulatory Research U.S. NRC From: Gagnon, Ronald Sent: Wednesday, June 08, 2016 9:02 AM To: Correia, Richard <Richard.Correia@nrc.gov>

Cc: McAndrew, Sara <Sara.McAndrew@nrc.gov>; Janney, Margie <Margie.Janney@nrc.gov>; Le, Hong

<Hong.Le@nrc.gov>; Rheaume, Cynthia <Cynthia.Rheaume@nrc.gov>

Subject:

RE: Draft SUNS! responses Good morning Rich.

I agree tha the information will be a good resource for NRC employees. I'll forward your proposal to the OCIO leadership team for their input/ action. Please copy me with your response to the employee.

Thank you for your assistance.

Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Correia, Richard Sent: Wednesday, June 08, 2016 8:48 AM

To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>

Cc: McAndrew, Sara <Sara.McAndrew@nrc.gov>

Subject:

FW: Draft SUNSI responses attorney client privileged information attorney work product Good morning Ron, (b)(5)

Best Rich Richard P. Correia, P.E.

Director, Division of Risk Analysis Office of Nuclear Regulatory Research U.S. NRC From: McAndrew, Sara Sent: Monday, June 06, 2016 1:31 PM To: Correia, Richard <Richard.Correia@nrc.gov>

Cc: Weber, Michael <M chael.Weber@nrc.gov>

Subject:

FW: Draft SUNSI responses attorney client privileged information attorney work product Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 From: Gagnon, Ronald Sent: Monday, June 06, 2016 12:31 PM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>

Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick

<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>;

Rheaume, Cynthia <Cynthia.Rheaume@nrc.gov>

Subject:

RE: Draft SUNSI responses

Sara,

l. .

Thank you for the quick response. (b-)(5_l _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _____.

2

Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockvute, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Monday, June 06, 2016 11 :50 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>

Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick

<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>

Subjeot RE: Draft SUNS! responsea b)(5)

Thanks for your help, Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 From: Gagnon, Ronald Sent: Monday, June 06, 2016 11 :10 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>

Cc: Janney, Margie <Margie.Janney@nrc.gov>

Subject:

RE: SUNSI responses Good morning Sara, Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 3

Rockville, MD 20852 Office: 301-415-6873 From: Gagnon, Ronald Sent: Tuesday, May 31 , 2016 7:29 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>

Subject:

RE: SUNSI responses Good morning Sara, Let me know if you have a few minutes to meet when you get in today.

Thank you ,

Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike , Mail Stop O-6H1 1 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Wednesday, May 25, 2016 4:25 PM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>

Subject:

SUNSI responses

,.B.Q!!J

~a:,;~S;..,,,__ _~ hank you.

l(~

Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66

From: Weber, Michael Sent: Monday, June 06, 2016 3:48 PM To: Gagnon, Ronald

Subject:

RESPONSE - Draft SUNS! responses Thanks, Ron From: Gagnon, Ronald Sent: Monday, June 06, 2016 12:31 PM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>

Cc: Janney, Margie <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick

<Frederick.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Le, Hong <Hong .Le@nrc.gov>;

Rheaume, Cynthia <Cynthla.Rheaume@nrc.gov>

Subject:

RE: Draft SUNSI responses

Sara, r_l(_l__________________

Thank you for the quick response . .. 5 Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop 0-6H11 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Monday. June 06, 201611 :50 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>

Cc: Janney, Margle <Margie.Janney@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>; Brown, Frederick

<Frederlck.Brown@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>

Subject:

RE: Draft SUNSI responses Thanks for your help, Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66

From: Gagnon, Ronald Sent: Monday, June 06, 2016 11 :10 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>

Cc: Janney, Margie <Margie.Janney@nrc.gov>

Subject:

RE: SUNSI responses Good morning Sara, lfu)(5)

Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United Stat,es Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Gagnon, Ronald Sent: Tuesday, May 31 , 2016 7:29 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>

Subject:

RE: SUNS! responses

• Good morning Sara, Let me know if you have a few minutes to meet when you get in today.

Thank you, Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Wednesday, May 25, 2016 4:25 PM To: Gagnon, Ronald <Ronald .Gagnon@nrc.gov>

2

Sara Sara McAndrew Senior Attorney 301-287-0976 OWFN15A66 3

From: McAndrew, Sara Sent Monday, June 06, 2016 11:50 AM To: Gagnon, Ronald Cc: Janney, Margie; Weber, Michael; Brown, Frederick; Correia, Richard Subjed: RE: Draft SUNSI responses The 2-page draft attachment has been withheld in lull Attachments: SUNS! answers sent to 000 June 6.docx on the basis of FOIA exemption 5.

attorney client privileged information attorney work product Ron, Thanks for your help, Sara Sara McAndrew Senior Attorney 301 -28 7-0976 OWFN15A66 From: Gagnon, Ronald Sent: Monday, June 06, 2016 11 :10 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>

Cc: Janney, Margie <Margie.Janney@nrc.gov>

Subject:

RE: SUNS! responses Good morning Sara, Thank you, Ron Ronald E. Gagnon OCIO / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop 0-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Gagnon, Ronald Sent: Tuesday, May 31 , 2016 7:29 AM To: McAndrew, Sara <Sara.McAndrew@nrc.gov>

1

Subject:

RE : SUNSI responses Good morning Sara, Let me know if you have a few minutes to meet when you get in today.

Thank you ,

Ron Ronald E. Gagnon OCIO I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop 0-6H11 Rockville, MD 20852 Office: 301-415-6873 From: McAndrew, Sara Sent: Wednesday, May 25, 2016 4:25 PM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>

Subject:

SUNSI responses

~

l..._ )l((55__- - -~ hank you .

(bb__ L l Sara Sara McAndrew Senior Attorney 301 -287-0976 OWFN15A66 2

From: Rheaume, Cynthia Sent: Friday, May 27, 2016 12:42 PM To: Le, Hong; Gagnon, Ronald Cc: Janney, Margie; Flanagan, James

Subject:

RE: Confusion regarding Ron Gagnon*s answers to Need-to-Know for SUNS!

Follow Up Flag: Follow up Flag Status: Flagged All - no need to coordinate with the IG, as clarified by Jim this AM. He would like for OGC to handle all fLtrther communications.

From: Flanagan, James Sent: Friday, May 27, 201611:39 AM To: Rheaume, Cynthia; Le, Hong; Gagnon, Ronald Cc: Janney, Margie

Subject:

RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNS!

Yes , please discuss with OGC and have them frame a response. This email exchange is likely to get argumentative and it is not something that we wish to continue to engage in. Before we send anything back to this individual please connect with Fred so that he can review Thank you ,

James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One While Flint North 11555 Rockville Pike , Mail Stop O-6E7A Rockville, MO 20852-2738 Telephone 301-415-8700 From: Rheaume, Cynthia Sent: Friday, May 27, 2016 11:17 AM To: Le, Hong <Hon .Le nrc. ov>; Gagnon, Ronald <Ronald.Ga non nrc. ov>

Cc: Flanagan, James <James.Flana an nrc. ov>; Janney, Margie <MargieJanney@nrc.gov>

Subject:

RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Jim - I thought I heard you say you also wanted us to coordinate with the IG, correct?

From: Le, Hong Sent: Friday, May 27, 2016 10:10 AM 1

To: Gagnon, Ronald <Ronald.Ga non nrc. oV>

Cc: Rheaume, Cynthia <C~nthia.Rheaume nrc. ov>; Flanagan, James <lames.Flanagan~ nrc.gov>; Janney, Margie

< Ma rgte.Jarmey@nrc.gov>

Subject:

Re: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Ron - plea do not respond. We need to con ult with Fred/Jim and/or 0 n: 27 ay 20 16 I0:04 " ri cion , Lawrence" <Lawrenc . ri-'-ciqn rc_, nrc. 'Q > wrote:

Ron, Regarding your answer to Question 1, I still do not understand if bargaining unit personnel are allowed to discuss SUNSI with any colleague whose opinion they so choose to seek. It would be most helpful if, when answering question 1, you begin your nswer with a "Yes" or a "No.

Rega rding your answer to Question 2, neither your answer nor the Yellow Announcement you refer me to contain any information that would allow me to determine which colleague cannot know of SUNSI nuclear safety concern. Pleas e><plain to me how I am to determine which colleagues cannot know of SUNSI nuclear safety concern.

Regarding you answer to Question 3, are you stating that employees must go through the Office of Congressional Affairs prior to providing Information to Congress and cannot directly provide information to Congress on their own? If not, pl ase clea rly state.

Regarding your answer to Question 4, with whom In OCA and OGC should I address my questions?

My questions are straight forward questions and I would appreciate straight forward answers. If you are not com fortable answering my questions in a clear and concise manner, that should tell you something about our policies.

Thank you, Larry From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:23 PM To; Criscione, Lawrence <!.awrencg_.(Jisclone nrc. oV>

Cc: Jan ney, Margie <Margie.Janney@nrc.gov>; Flanagan, James <James.Flana an W re. OV>; Carpenter, Cynthia

< nthia .Car enter nrc. ov>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-M ing <Yen-Min . en a nrc. ov>; Hackett, Edwin <_Edwin.Hackett nrc. ov>; Correia, Richard <Richard.Corr..e1a 1 *nrc. ov>; Peters, Sean <~ean.Peters ,onrc. O','.>;

Heard, Robert <Rob rt.Heard *n1 nrc. ov>; Schwartz, Maria <Marla.Schwartz nrc. ov>; NTEU, Chapter 208

<NTF.U nrc . ov>; Weber, M ichael <Michael.Weber ilnrc. ov>

Subject:

Who Determines Need-To-Know for OUO?

Mr. Criscione:

You inquired regarding the following:

1. Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards} with any colleague whose opinion they so choose to seek?

2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?

3. ls there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

4. If so, who makes that determination?

2

Question 1: Are bargaining uni t employees allowed to discuss SUNS/ (I. e. Information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to s eek?

Reply: NRC SUNS! Policy clearly states that ... "except as the Commission may otherwise authorize, no person, including employees of the U.S. Government. NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business." See below:

NRC Policy For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information section 0 (2) - Need to know access See: http://www.internal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commis.sion may otherwise authorize, no person, including employees of the U.S. Govemment, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business.

Question 2: If not, how Is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?

Reply: The NRC recently published a yellow announcement addressing this issue. See htl_Qs://drup al.nrc.gov/a_nnouncernE1nts/yellow/policy/23578 Yellow Announcement YA 16-0052 defines "Need to Know" in the context of sensitive unclassified information.

See Below:

Need-to-Know

1. A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.

2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.

Question 3: Is there any SUNS/ material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

Reply: The NRC's Office of Congressional Affairs (OCA) (see MD 9.13) Is tasked with com munlcating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance to the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office-

• Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.

• Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individual members of Congress with respect to matters of interest and concern to NRC.

• Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for 3

those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters witihin the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.

• Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a routine nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EDO.

• Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.

• Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.

• Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.

• Participates in planning and developing NRC's legislative program in close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.

• Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.

• Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.

• Performs any other functions assigned by the Chairman.

Question 4: "so, who makes that determination?

Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.

Please let me know If you have additional questions or concerns.

Ronald E. Gagnon SUNSI / CUI Program Manager Office of the Chief Information Officer IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 4

From: Flanagan, James Sent: Friday, May 27, 2016 11:42 AM To: Rheaume, Cynthia; Le, Hong; Gagnon, Ronald Cc: Janney, Margie

Subject:

RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNST Attachments: RE: FYI - Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Follow Up Flag: Follow up Flag Status: Flagged Also. the OGC point of contact 1s attached. Please mark all "Attorney Client Privilege" from this point forward.

Regards, James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike, Mail Stop O-6E7A Rockville , MD 20852-2738 Telephone 301-415-8700 James.Flanagan@nrc.gov From: Flana,gan, James Sent: Friday, May 27, 201611:39 AM To: Rheaume, Cynthia; Le, Hong; Gagnon, Ronald Cc: Janney, Margie

Subject:

RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Yes, please discuss with OGC and have them frame a response This email exchange is likely to get argumentative and it is not something that we wish to continue to engage in Before we send anything back to this individual please connect with Fred so that he can review Thank you ,

James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike, Mail Stop 0-6E7A Rockville, MD 20852-2738

Telep hone 301-415-8700 From : Rheaume, Cynthia Sent: Friday, May 27, 201611:17 AM To: le, Hong; Gagnon, Rona ld Cc: Flanagan, James ; Janney, Margie

Subject:

RE : Contusion regard ing Ron Gagnon's answers to Need-to-Know for SUNSI Jim - I thought I heard you say you also wanted us to coordinate with the IG, correct?

From: Le, Hong Sent: Friday, May 27, 201610:10 AM To: Gagnon, Ronald <Repa id.Ga n c. o Cc: Rheau me, Cynthia <C nthia.Rheaume nrc. ov>; Flanagan, James <James.Flarray n

<Mar I .Janne nrc. ov>

Subject:

Re: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNS!

Ron - pleas do not r spond. W ne d to consult with Fred/Jim and/or G .

n: 27 May 201 6 10:04, ri cion Lawr nc " <Lnwrence.

Ron, Regarding your answer to Question 1, I still do not understand if bargaining unit personn I are allowed to discuss SUNSI with any colleague whose opinion they so choose to seek. It would be most helpful if, when answering question 1, you begin your answer with a "Yes" or a "No".

Rega rding your answer to Question 2, neither your answer nor the Yellow Announcement you referr me to contain any informat ion that would allow me to determine which colleagues canno know ofSUNSI nuclear safety concern. Please explain to me how 1am to determine which colleagues cannot know of SUNSI nuclear safety concern.

Regarding you answer to Question 3, are you stating that employees must go through the Office of Congressional Affa irs prior to providtng information to Congress and cannot directly provide information to Congress on their own? If not, please clearry state.

Regarding yo ur answer to Question 4, w ith whom In OCA and OGC should I address my questions?

My questions are straight forward questions and I would appreciate straight forward answers. If you are not comfortable answering my questions in a clear and concise manner, that should tell you something about our policies.

Thank you, Larry From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:23 PM To: Criscione, Lawrence <Lawrence.Criscione @nrc. ov>

Cc: Janney, Margie <Margi ,Janney@nrc.gov>; Flanagan, James <James.Flana anl nrc. ov>; carpenter, Cynthia 2

<Cynthla.Carp enter@nrq~.Qy>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Min t,Chen@nrc,i ov>; Hackett, Edwin <Edwin.Hackett_@Nc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Peters, Sean <Sean.Peters@nrc.gov>;

Heard, Robert <Robert.Heardlilnrc..,oV>; Schwartz, Maria <Maria.Schwartz(a nrq.ov>; NTEU, Chapter 208

<NTEU@nrc.gov>; Weber, Michael <Mi1hael.Weber@nrc.11ov>

Subject:

Who Determines Need-To-Know for OUO?

Mr. Criscione:

You inquired regarding the following:

1. Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?

2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?

3. Is there any SUNS! material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

4. If so, who makes that determination?

Question 1: Are bargaining unit employees allowed to discuss SUNS/ (I.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?

Reply: NRC SUNSI Policy clearly states that ..."except as the Commission may otherwise authorize, no person, Including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNS! unless that person has an established need-to-know the information for conducting official business." See below:

NRC Policy For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information section 0(2) - Need to know access See: http://www.lnternal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, 110 person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business.

Question 2: If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?

Reply: The NRC recently published a yellow announcement addressing this issue. See https://drupal.nrc.gov/announcements/yellow/policy/23578 Yellow Announcement YA 16-0052 defines "Need to Know" in the context of sensitive unclassified information.

See Below:

Need-to-Know

1. A determination by a person having responsibility for protecting or holding the sensitive information, be It classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful req1Uirement.

2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.

3

Question 3: Is there any SUNS/ material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Spec/a/ Counsel?

Reply: The NRC's Office of Congressional Affairs (OCA) (see MD 9.13) is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance to the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office-

• Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.

• Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individual members of Congress with respect to matters of interest and concern to NRC.

• Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.

• Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a r,outlne nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EDO.

• Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, dr.afting testimony, editing hearing tralilscripts, and preparing supplemental materials, correspondence, and announcements,

• Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.

• Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.

• Participates In planning and developing NRC's legislative program In close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.

• Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.

• Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.

• Performs any other functions assigned by the Chairman.

Question 4: If so, who makes that determination?

Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.

Please let me know if you have additional questions or concerns.

4

Ronald E. Gagnon SUNSI / CUI Program Manager Office of the Chief Information Officer IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301 -415-6873 5

From: McAndrew, Sara Sent Friday, May 27, 2016 10:41 AM To: Flanagan, James Cc: Gagnon, Ronald; Maxin, Mar~ Weber, Michael; Correia, Richard; Thaggard, Mark

Subject:

RE: FYI

• Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNS!

Attorney clienJ!t..1:o!!Jri,Yj vil!!

le:.9 10~,e- - - - - - - - - - - - - - - - - - - - - - - - - - - - 7 Thanks, Jim.I (b)(5), (b)(6)

I (b)(5)

Sara McAndrew Senior Attorney 301 -287-0976 OWFN15A66 From: Flanagan, James Sent: Friday, May 27, 2016 1O:15 AM To: Weber, Michael <Michael.Weber@nrc.gov>; Gagnon, Ronald <Ronald.Gagnon@nrc.gov>

Cc: McAndrew, Sara <Sara.McAndrew@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Thaggard, Mark <Mark.Thaggard@nrc.gov>; Brown, Frederick <Frederick.Brown@nrc.gov>; Janney, Margie

<Margie.Janney@nrc.gov>

Subject:

RE: FYI

• Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Mike, Thank you, Hong Le, his manager had provided similar guidance . We will not be responding until OGC provides further insight.

Thank you ,

James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike, Mail Stop O-6E7 A Rockville, MD 20852-2738 Telephone 301-415-8700 1

James.Flanagan@nrc.gov From: Weber, Michael Sent: Friday, May 27, 2016 10:14 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>

Cc: McAndrew, Sara <Sara.McAndrew@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Thaggard, Mark <Mark.Thaggard@nrc.gov>; Brown, Frederick <Frederick.Brown@nrc.gov>; Flanagan, James

<James.Flanagan@nrc.gov>; Janney, Margie <Margie.Janney@nrc.gov>

Subject:

FYI - Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI Good morning, Ron. Before you consider responding, suggest that you touch base with Sara McAndrew in OGC. Sara has been assisting us on questions like these from Larry Thanks From: Criscione, Lawrence Sent: Friday, May 27, 2016 10:05 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>

Cc: Janney, Margie <Margie.Janney@nrc.gov>; Flanagan, James <James.Flanagan@nrc.gov>; Carpenter, Cynthia <Cynthia.Carpenter@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Ming.Chen@nrc.gov>; Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard

<Richard.Correia@nrc.gov>; Peters, Sean <Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>;

Schwartz, Maria <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>; Weber, Michael

<Michael.Weber@nrc.gov>

Subject:

Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI

Ron, Regarding your answer to Question 1, I still do not understand if bargaining unit personnel are allowed to discuss SU NSI with any colleague whose opinion they so choose to seek. It would be most helpful if, when answering question 1, you begin your answer with a n Yes<jj or a !I No<jj .

Regarding your answer to Question 2, neither your answer nor the Yellow Announcement you refer me to contain any information that would allow me to determine which colleagues cannot know of SUNSI nuclear safety concern. Please explain to me how I am to determine which colleagues cannot know of SUNSI nuclear safety concern.

Regarding you answer to Question 3, are you stating that employees must go through the Office of Congressional Affairs prior to providing information to Congress and cannot directly provide information to Congress on their own? If not. please clearly state.

Regarding your answer to Question 4, with whom in OCA and OGC should I address my questions?

My questions are straight forward questions and I would appreciate straight forward answers. If you are not comfortable answering my questions in a clear and concise manner, that should tell you something about our policies.

Thank you, Larry From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:23 PM 2

To: Criscione, Lawrence <lawrence.Criscione@nrc.gov>

Cc: Janney, Margie <Margie.Janney@nrc.gov>; Flanagan. James <James.Flanagan@nrc.gov>; Carpenter, Cynthia <Cynthia.Carpenter@nrc.gov>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Ming.Chen@nrc.gov>; Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard

<Richard.Correia@nrc.gov>; Peters, Sean <Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>;

Schwartz, Maria <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>; Weber, Michael

<Michael.Weber@nrc.gov>

Subject:

Who Determines Need-To-Know for OUO?

Mr. Criscione:

You inquired regarding the following:

1. Are bargaining unit employees allowed to discuss SUNSII (i.e. Information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?

2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?

3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

4. If so, who makes that determination?

Question 1: Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?

Reply: NRC SUNS! Policy clearly states that I <fl except as the Commission may otherwise authorize, no person. including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business.<Jl See below:

NRC Polley For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Informatlon section 0(2) T Need to know access See: http://www.internal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUINSI unless that person has an established need-to-know the information for conducting official business.

Question 2: If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS! nuclear safety concern?

Reply: The NRC recently published a yellow announcement addressing this issue. See https://drupal.nrc.gov/announcements/yellow/policy/23578 Yellow Announcement YA 16-0052 defines n Need to Know!l in the context of sensitive unclassified information. See Below:

Need-to-Know

1. A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified Information, that a proposed recipient! s access to the sensitive information is necessary in the performance of an official and lawful requirement.

2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of tihe individual l s office, position, or security clearance.

3

Question 3: Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

Reply: The NRC I s Office of Congressional Affairs (OCA) (see MD 9.13) Is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance to the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office1 J. Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.

J. Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individual members of Congress with respect to matters ,of interest and concern to NRC.

.1 Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.

.1 Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a routine nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EDO.

J. Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.

.1 Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly avallable (unclassified) with a special coveir letter.

.1 Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate .

.1 Participates in planning and developing NRC's legislative program in close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.

J. Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.

J. Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.

1 Performs any other functions assigned by the Chairman.

Question 4: If so, who makes that determination?

Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.

Please let me know if you have additional questions or concerns.

4

Ronald E. Gagnon SUNS I / CUI Program Manager Office of the Chief Information Officer IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockvrne, MD 20852 Office: 301-415-6873 s

From: Flanagan, James Sent: Friday, May 27, 2016 10:24 AM To: Gagnon, Ronald Cc: Janney, Margie; Rheaume, Cynthia; Le, Hong; Chen, Yen-Ming; Brown, Frederick

Subject:

RE: Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNS!

Attachments: FYI - Who Determines Need-To-Know for OUO?

Follow Up Flag: Follow up Flag Status: Flagged Team ,

Attached is additional matenal to support your OGC review This was provided by Mike Weber from an email to Cynthia Carpenter Regards ,

James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike, Mail Stop 0 -6E7 A Rockville, MD 20852-2738 Telephone 301-415-8700 James .Flana a_n nrc. ov From: Flanagan, James Sent: Friday, May 271 2016 10:07 AM To: Gagnon, Ronald Cc: Janney, Margie ; Rheaume, Cynthia ; Le, Hong; Chen, Yen-Ming ; Brown, Frederick

Subject:

RE : Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI

Ron, Please seek guidance from OGC and OCHCO related to any response. This is just getting argumentative and placing your factual response in a difficult position.

Regards, James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer l

United States Nuclear Regulatory Commission1 One White Flint North 11555 Rockville Pike, Mail Stop O-6E7A Rockville, MD 20852-2738 Telephone 301-415-8700 James.Flanagan@nrc.gov From: Criscione, Lawrence Sent: Friday, May 27, 201610:05 AM To: Gagnon, Ronald <Ronald.Gagnon@nrc.gov>

Cc: Janney, Margie <Margle.Janney@nrc.gov>; Flanagan, James <James.Flana,ian@nrc.gov>; Carpenter, Cynthia

<Cynthia.Carpenter@Jlrc,&Qv>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Mi11&.,,.Chen@n.(£:&.ov>; Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard <Richard.Correla@nrc.gov>; Peters, Sean <Sean.Peters@nrc.gov>;

Heard, Robert <8obert .Heard@nrc.gov>; Schwartz, Marla <Maria.Schwartz@nrc.gov>; NTEU, Chap,t er 208

<NTEU@nrc.gov>; Weber, Michael <Michael.Weber nrc. ov>

Subject:

Confusion regarding Ron Gagnon's answers to Need-to-Know for SUNSI

Ron, Regarding your answer to Question 1, I still do not understand if bargaining unit personnel are allowed to discuss SUNSI with any colleague whose opinion they so choose to seek. It would be most helpful if, when answering question 1, you begin your answer with a "Yes" or a "No".

Regarding your answer to Question 2, neither your answer nor the Yellow Announcement you refer me to contain any information that would allow me to determine which colleagues cannot know of SUNS! nuclear safety concern. Please explain to me how I am to determine which colleagues cannot know of SUNSI nuclear safety concern.

Regarding you answer to Question 3, are you stating that employees must go through the Office of Congressional Affairs prior lo providing Information to Congress and cannot directly provide Information to Congress on their own? If not, please clearly state.

Regarding your answer to Question 4, with whom In OCA and OGC should I address my questions?

My questions are straight forward questions and I would appreciate straight forward answers. If you are not comfortable answering my questions in a clear and concise manner, that should tell you something about our policies.

Thank you, Larry From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:23 PM To: Criscione, Lawrence <Lawrence.Criscione.@nrc.gov>

Cc: Janney, Margie <Margie.Janney@nrc.gov>; Flanagan, James <James.Flanagan@nrc.gov>; Carpenter, Cynthia

<C~nthia.Camenter@nrc.gg_v>; Le, Hong <Hong.Le@nrc.gov>; Chen, Yen-Ming <Yen-Mln_g.Chen@.nrc_,K.ov>; Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard <Rlchard.Correia@nrc.gov>; Peters, Sean <Sean.Pete~ nrc.fil)v>;

Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Marla <Maria~Schwartz@nrc.gov>; NTEU, Chapter 208

<NTEU@nrc.gov>; Weber, Michael <Michael.Weber@nrc.gov>

Subject:

Who Determines Need-To-Know for QUO?

2

Mr. Criscione:

You inquired regarding the following:

1. Are bargaining unit employees allowed to discuss SUNSI o.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?

2. If not, how is the need-to-know detemiined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?

3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

4. If so, who makes that determination?

Question 1: Are bargaining unit employees allowed to discuss SUNS/ (i.e. Information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?

Reply: NRC SUNSI Policy clearly states that ... *except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business." See below:

NRC Policy For Handling, Marking, and Protecting Sensitive Unclasslfled Non-Safeguards Information section 0(2) - Need to know access See: http:l/www.internal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SU NSI unless that person has an established need-to-know the information for conducting official business.

Question 2: If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?

Reply: The NRC recently published a yellow announcement addressing this issue. See https.//drupal.nrc.gov/announcements/yellow/policy/23578 Yellow Announcement YA 16-0052 defines "Need to Know" in the context of sensitive unclassified information.

See Below:

Need-to-Know

1. A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.

2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.

Question 3: Is there any SUNS/ material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

Reply: The NRC's Office of Congressional Affairs (OCA) (see MD 9.13) is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs 3

Program, and for providing advice and assistance to the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office-

• Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully Informed of NRC's policies, plans, and activitie,s. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.

• Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individ1.Jal members of Congress with respect to matters of interest and concern to NRC.

• Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.

• Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a r,outine nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EDO.

• Coordinat,es internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.

• Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.

• Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.

• Participates in planning and developing NRC's legislative program in close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning r,esponses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.

• Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.

• Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.

• Performs any other functions assigned by the Chairman.

Question 4: If so, who makes that determination?

Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.

Please let me know if you have additional questions or concerns.

Ronald E. Gagnon SUNSI / CUI Program Manager Office of the Chief Information Officer IT/IM Policy Branch 4

United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 s

From: Weber. Michael Sent: Friday, May 27, 2016 10:21 AM To: McAndrew, Sara Cc: Thaggard, Mark; Correia, Richard; Hackett, Edwin; Flanagan, James; Carpenter, Cynthia

Subject:

FYI - Who Determines Need-To-Know for QUO?

(b)(5)

From: Criscione, Lawrence Sent: Friday, May 27, 2016 9:49 AM To: Carpenter, Cynthia ; Weber, Michael Cc: Hackett, Edwin ; Correla, Richard ; Peters, Sean ; Heard, Robert ; Schwartz, Maria ; NTEU, Chapter 208; Gagnon, Ronald ; Kirkwood, Sara; Holahan, Gary; Clark, Theresa

Subject:

RE: Who Determines Need-To-Know for OUO?

Cynthia, If you review the lengthy email trail below, you will see that I've been down that route before. In February 2015, Ron Gagnon of the FOIA branch passed the buck on my concerns back to my RES supervision.

I believe that there is absolutely no basis for "Need-to-Know" to be applied to nuclear safety concerns such as catastrophic flooding at nuclear pow r plant sites du to upstream dam failures- failures caused by acts of nature and latent engineering flaws and not acts of sabotage. It is clear to me that these "Need-to-Know" res rictions are being set in place to prevent Inconvenient embarrassing Information from being widely accessed within the NRC and thus limit its likelihood of exiling the agency (as occurred In 2012 when I distributed some documents to Congress and the US Offic of Special Counsel).

I recognize that It is natural for a bureaucracy to place a primacy upon protecting its good name and reputation, but by restrlctl ng information on important nuclear safety issues to only those staff who can be "trusted to not disclose glaring unresolved public hazards we are undermining the Open & Collaborative Work Environment that h,s agency supposedly supports.

I will not be bouncing around FOIA and OCIO to discuss my concerns. My concerns have been well documented in the 3 1/2 year email trall below. Lack of understanding on this issue (I.e. Need-to-know regarding SUNSI) led directly to the NRC's JG Illegally seeking r lony charges against me In February 2013 for sharing SUNSI with som Congressional staffers-something I had a protected right to do under 5 use 7211 . This is an issue that both the agency and the union should take seriously as it undermines the ability of the bargaining unit to vet their concerns with staff whom they trust- .g. in NRO they are currently restricted from discussing flooding Issues with staff who have not been specifically assigned to the work on the issue.

I've asked four questions below. According to Ron Gagnon' s February 2012 responses to me, those questions fall under the purview of my RES chain of command. I would appreciate it if you and Mike Weber would recognize and respect the efforts I have taken since October 25, 2012 to get answers to these questions and not dish me off to the FOIA office and OCIO.

The simple questions I would like specific, non-bureaucratic answers to are:

1. Are, bargaining unit employees allowed to discuss SUNSI (i.e. Information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?

2. If not, how Is the need-to-know determined? That Is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?

3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

4. If so, who makes that determination?

Thank you, Larry 573-230-3959 From: Carpenter, Cynthia Sent: Wednesday, May 25, 2016 11:18 AM To: Criscione, Lawrence <Lawrence.Criscione@nrc.gov>; Weber, Michael <Mlchael.Weber@nrc.gov>

Cc: Hackett, Edwin <Edwln,Hackett@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Peters, Sean

<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Maria <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>

Subject:

RE: Who Determines Need-To-Know for OUO?

Larry Please contact OCIO regarding your questions. Controlled Unclassified Information (i.e. currently SUNSI} falls under their area of expertise. If it were SGI or classified, it would be NSIR. I don't know who in OCIO has the lead for this, but I would start with the FOIA, Privacy and information collections branch.

From: Criscione, Lawrence Sent: Wednesday, May 25, 2016 8:57 AM To: Weber, Michael <Micbael.Weber@nrc.gov>; Carpenter, Cynthia <Cynthla,Carpenter@nrc.gov>

Cc: Hackett, Edwin <Edwln.Hackett@nrc.gov>; Correia, Richard <Rlchar .Correia nrc. ov>; Peters, Sean

<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Maria <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>

Subject:

RE: Who Determines Need-To-Know for OUO?

Mike/Cynthia, Yesterday the agency published a Yellow Announcement on Need-to-Know (ML16111A432) which-in my opinion-was not very informative. I still have the following questions regarding Need-to-Know as It pertains to nuclear safety issues marked as SUNSI (I have always had a very clear understanding regarding Need-to-know as applied to classified information and SGt)*

1. Are bargaining unit employees allowed to discuss SUNSI (1.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?

2. If not, how is the need-to-know determined? That is. how rs an employee to determine which colleagues cannot know of SUNS! nuclear safety concern?

3 Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

4. If so, who makes that determination?

Thanks, 2

Larry Lawrence S. Criscione RES/DRA/HFRB From: Criscione, Lawrence Sent: Thursday, April 28, 2016 5:39 PM To: Weber, Michael <Mlchael.Weber@nrc.gov>; NTEU. Chapter 208 <NTEU@nrc.gov>

Cc: Hackett, Edwin <Edwln.Hackett@nrc.gov>; Correia, Richard <Richard.Correla@nrc.gov>; Peters, Sean

<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.goV>; Schwartz, Maria <Maria.Schwartz@nrc.gov>;

Campbell, Andy <Andy.Campbell@nrc.gov>; Bley, Dennis <Dennls.Bley@nrc.gov>

Subject:

Who Determines Need-To-Know for OU07 Mike/Sheryl, As can be seen from the email trail below, I have been trying to get an answer to the handling of Official Use Only information for quite some time.

Attached is a letter I received last week from the US Office of Special Counsel {OSC). In the letter It is stated that the OSC has referred my disclosure regarding the agency's failure to adequately address flooding from dam failures to the NRC Chairman for investigation and report. It is not yet known by me whom the Chairman intends to assign to investigate my concerns.

In anticipation of potentially meeting with the Chairman's assigned investigator, over lunch today I met with seven colleagues from RES, NRR and NRO to discuss outstanding flooding concerns. At that meeting I was informed that certain supervisors in NRO have deemed certain flooding information and studies as sensitive information subject to strict need-to-know restrictions.

That is, my NRO colleagues told me they had to talk around certain concerns because I-and others present-were not formally assigned to work on those issues and to know those concerns.

Please note that none of the issues were related to nuclear security. These issue pertained entirely to nuclear SAFETY issues {e.g. Probabilistic Maximum Precipitation estimates for certain sites, flood inundation levels, etc).

Please also see the attached OCWE flyer from Bill Borchardt.

To me, the restrictions placed on the NRO staff directly contradicts the work environment purported by Mr Borchardt.

But it is much worse than that.

One of the NRO staff informed me that she might not be able to discuss some of her specific flooding concerns with the Chairman's investigator since the issues could only be shared with those with a need-to-know.

Think about that for a minute. The staff of the NRC supports the work of the Commission. The President appoints the Chairman of the Commission The President appoints the Special CounseL The Special Counsel has directed the Chairman to furnish a report to her within 60 days regarding my flooding concerns so that she might forward the Chairman's investigative results on to the President. Yet NRO management has their staff so rattled and confused regarding *need-to-know" surrounding flooding concerns that a staff member is concerned that she cannot even discuss those issues with the Chairman's investigator That's messed up. Waaaaaay messed up.

Today, I also found out that the Advisory Committee on Reactor Safeguards needed to agree to a Memorandum of Understanding (MOU) prior to being allowed to see certain flooding ir.,formation 3

Think about that for a minute. This is unclassified information. It is not safeguards. None of it has any value in determining how to breach a dam. These studies were done at the request of the NRC to aid in determining how dam failures will affect the viabihty of reactor plants. Yet the Advisory Committee on Reactor Safeguards cannot automatically see these studies?????

I would appreciate it if I could get a definitive answer from Mike to the following:

1. Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?

2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?

3. Is there any SUNS! material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

4. If so, who makes that determination?

I recognize Pll, allegation material, attorney/client privilege all fall under some definition of SUNSI. But in heu of a better term, I am using SUNS! to refer to nuclear safety related information that is. for whatever reason, not public information. I am not at all confused on the prohibition of sharing PII, allegation material, attorney-client privilege, etc. so please restrict your answer to SUNSI that pertains solely to nuclear safety.

Please answer my questions directly. As can be seen below, I have for several years been bounced around between various NRC offices, web pages, 10 CFR references, and obtuse Management Directive references that do not address these questions.

This is an Issue that gravely affects the Safety Culture of this agency. Imagine an individual with concerns regarding the flooding evaluation at Oconee being told that he cannot discuss the matter with fellow colleagues 1n his branch because they have no *need-to-know". Imagine the stress of being told by your superiors to sign off on an evaluation and not being able to discuss your concerns with your trusted peers T,hese are not hypotheticals; they have happened and are happening.

I would appreciate it from Sheryl if she would assist me in getting answers to my questions above This is an NRC issue not a RES issue (in fact, to my knowledge, there is nothing in RES restricted to a *need-to-know").

To me, this should be brought up at the ALMPC.

I am not saying there is no guidance. As can be seen from the email trail below, there is plenty of guidance It's just not in a form that can be applied.

I would like the NRC to go on record stating that there are certain SUNSI documents that cannot be supplied to Congress and the OSC or confirming that there are no prohibitions against providing SUNSI documents to Congress and the OSC And I would like the NRC to go on record stating that all employees can view discuss SUNSI nuclear safety concerns with their peers or confirming that there are certain prohibitions against sharing SUNS! material with peers not directly assigned to work on those materials.

V/r, Larry Lawrence S. Criscione RES/DRA/HFRB 573-230-3959 From: Criscione, Lawrence Sent: Tuesday, March 03, 2015 10:41 AM To: Correia, Richard <Richard.Correia@nrc.gov>; West, Steven <Steven.West@nrc.gov>; Peters, Sean

<Sean.Peters@nrc.gov>

Subject:

Management's Credibility 4

There has been much discourse on this SUNSI issue both v,a email and in cubicle and cafeteria conversations.

Much of it is stated less professionally and more cynically than Ed's email below Ed's mention of a DPO is a sarcastic reference to one of Ron's responses; no one is going to waste their time attempting to address any of these items with a DPO.

Just because most of your staff is focused on doing their jobs and do not wish to ruffle anyone's feathers, please don't think that there are only two people (i.e me and Richard Perkins) complaining about this. This has been a long-standing complaint amongst certain personnel at NRR long before I was ever hired at the NRC-rny involvement in this issue came as a result of their complaints to me. And there is widespread dissatisfaction in RES regarding these matters and how our management has avoided addressing them.

There might be a large contingent of managers and staff who resent "open government*, but there is a very concerned contingent of technical staff who are appalled at what we are not allowed to share with the public.

And they are equally appalled by the lack of professionalism that has gone into resolving this issue. We expect our leaders to lead and not to politically avoid the difficult questions they are well-paid to confront. Balancing open government and SUNSI is one such issue.

Ron Gagnon is the supposed SUNSI expert for the agency and It Is his determination that many of these questions are the prerogative of the office. I say we run with that determination. I say that in the absence of agency ownership of SUNSI, we take ownership of the SUNSI policies for our office. If you would like me to (and if Sean will allow me time to work on it), I can draft some guidance on how to determine what is SUNSI, 0

how to apply *need-to-know* and how to conduct "portion-marking

• I know Brian believes SUNS! is owned by ADM, but ADM-and specifically the SUNSI lead in ADM-believes that specific SUNS! guidance (vice the broad policies put out by ADM in MD 12.6) is the prerogative of the individual offices. This makes sense. Understandably ADM oloes not feel comfortable writing prescriptive guidance for NRR, RES, etc. We know our work and should be the ones translating the high-level ADM SUNSI policies into workable prescriptive guidance for our people.

V/r, Larry From: ODonnell, Edward Sent: Monday, March 02, 2015 1:53 PM To: Orr, Mark; Barr, Jonathan; Criscione, Lawrence

Subject:

FIN: Need-to-Know requirements for SUNS!

The answers leave one hanging. Perhaps a differing professional opinion should be Invoked regarding them.

From: Gagnon, Ronald Sent: Monday, March 02, 2015 1:49 PM To: Criscione, Lawrence Cc: Janney, Margie; Correla, Richard; Sullivan, Randy; Perkins, Richard; Bensl, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; cardenas, Daniel

Subject:

RE: Need-to-Know requirements for SUNSI

Larry, Please see my replies adjacent to your questions.

Thank you, Ron 5

Ronald E. Gagnon OIS I PrMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville , MD 20852 Office: 301-415-6873 From: CrisciOne, Lawrence Sent: Friday, February 27, 2015 3:23 PM To: Gagnon, Ronald Cc: Janney, Margie; Correia, Richard; Sullivan, Randy; Perkins, Riohard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; cardenas, Daniel

Subject:

RE: Need-to*Know requirements for SUNS!

Thanks Ronald. I've copied some colleagues on this email so they can see your answer below and so that they might contact you If they have their own questions about it.

I've highlighted two items below that are still unclear (subject matter expert and need-to-know determination):

1.a) Who are the subject matter experts for flooding and dam failures? Check with your office leadership.

1.b) What document designates them as such? Check with your office leadership.

1.c) What guidance do they use to determine what is sensitive and what Is not? Check with your office leadership, (reference internal NRC SUNSI, SGI, Classified guidance).

1.d) If you disagree with their determination, is there an appeal process?

As you probably already know, NRC has a mechanism in place where differing professional opinions can be discussed and resolved. The NRC Differing Professional Opinions Program, Management Directive 10.159 states the following objectives: To foster informal discussions with peers and supervisors on issues involving professional judgments that may differ from a currently held view or practice, To establish a formal process for expressing differing professional opinions (DPOs) concerning issues directly related to the mission of NRC, To ensure the full consideration and prompt disposition of DPOs by affording an independent, impartial review by knowledgeable personnel, To ensure that all employees have the opportunity to (a) express DPOs in good faith, (b) have their views heard and considered by NRC management, and (c) be kept fully infonned of the status of milestones. throughout the process, To protect employees from retaliation in any form for expressing a differing opinion, To recognize submitters of DPOs when their DPOs have resulted in significant contributions to the mission of the agency, To provide for agency-wide oversight and monitoring, to ensure that implementation of these procedures accomplishes the stated objectives, and to recommend appropriate changes when required 2.a) For SUNSI, do we (I.e. the technical staff) need to obtain our supervisor's permission prior to sharing information with a Congressional office? This question is outside the scope of SUNSI. Please check with your leadership for official NRC policies regarding communications with Congress. The Office of Congressional Affairs should be able to articulate current policies regarding this question.

2.b) For SUNSI that is related to nuclear safety issues or to agency policies on applying FOIA redactions (i.e. not PII. allegation material, or other highly specific forms of SUNSI that have nothing to do with typical NRC correspondence and reports) do we need our supervisor's permission prior to discussing the information with our NRC colleagues who are not formally assigned to work on the issue? That is, can I share nuclear safety information with my NRC co-workers even though that information has been 6

designated SUNSI and they have not been formally assigned to work on the issue? Please check with your leadership and the FOIA office (if you have a FOIA redaction question). As you are aware, in addition to having authorized access to SUNSI information there Is a need to know component to SUNSI. In order to allow access to another party, an authorized holder of SUNSI information must make a determination that a prospective recipient requires access to specific information to perform or assist in a lawful and authorized governmental function.

2.c) If I can get to it in ADAMS, can I assume I have a de-facto right to know it? Perhaps, but not exclusively. For example, if a document has been mistakenly categorized/ entered into ADAMS it does not give an employee the right to view or distribute it without the proper access credentials. If a government employee came across a classified document on-hne through a Google search, that government employee is not authorized access unless they have the proper clearance and need to know, even though the document is easily available t,o anyone searching for it. If not, how do I determine that I have accessed a document that I have no right to see and to whom do I report it? One way to report a document spill would be by advising your supervisor and accessing the following link:

http://www.internal.nrc.gov/incident.html {please note that other notifications may be necessary depending on the type of spill).

R/

Larry From: Gagnon, Ronald sent: Friday, February 27, 2015 2:15 PM To: Criscione, Lawrence Cc: Janney, Margie; Correia, Richard

Subject:

RE: Need-to-Know requirements for SUNS!

Good afternoon Larry, It was a pleasure speaking with you this afternoon. During our conversation we explored several topics including your questions below. We discussed the Controlled Unclassified Program (CUI) and how it would consolidate the SUNSI and SGI programs at the NRC, and how 1t would offer a government-wide, uniform way of handling1sensitive unclassified information. Your asked the following SUNSI related questions:

1 If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document, must my new document now be marked as SUNSI?

Derivative products should always be marked to ensure that the sensitive information in the document is fully protected according to agency policy. If the document is not portion marked, then the entire document is considered SUNSI until such time as a subject matter expert determines otherwise.

Documents that are marked SUNSI and not portion marked can be reviewed by the originator to determine which portion is sensitive, ie. 2.390 information. A derivative document using any information from a SUNSI document that is not portion marked must have the referenced portion marked as SUNSI.

2. How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe is inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo-ed" into a tightly controlled group of individuals who are officially assigned to address the issue?

7

Nead-to-know typically means a determination made by an authorized holder of information that a prospective recipient requires access to specific information to perform or assist in a lawful and autlhorized governmental function. This determination would be made by the leadership elements in the office where the work is performed.

Please let me know if I can be of further assistance.

Thank you for your questions, Ronald E. Gagnon 01S I PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545*Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: SUNS! Resource Sent: Wednesday, February 25, 2015 7:44 AM To: Gagnon, Ronald; Janney, Margie

Subject:

FW: Need-to-Know requirements for SUNSI From: Criscione, Lawrence Sent: Wednesday, February 25, 2015 7:44:21 AM To: SUNSI Resource Cc: Correia, Richard; Peters, Sean; Perkins, Richard; Bensi, Michelle; Sancaktar, Selim; Phlhp, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; King, Mark; Burton, Thomas; Patterson, Malcolm; Kanney, Joseph

Subject:

Need-to-Know requirements for SUNS!

Auto forwarded by a Rule SUNSI Resource*

I have some questions regarding SUNSI which my division director has been attempting to help me get answered. He provided me the following references but neither of them address the questions I have:

NRC's SRI guidance: http://www.intemal.nrc.gov/sunsi/security.html FAQs available on the SUNSI website address commonly requested topics:

htt .//www.internal.nrc. ov/su si/fa .html My questions are.

1 If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document, must my new document now be marked as SUNSI?

8

2. How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe is inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo-ed" into a tightly controlled group of individuals who are officially assigned to address the issue?

Also. I have some comments about the "SUNSI Awareness Training* linked to from the SUNSI "Frequently Asked Questions" website (and attached to this email). On slide 6 a colloquial definition of SUNSI is provided as:

"Or put another way ..If information appeared on the front page of the Washington Post and you cnnge when you see it .... It's probably sensitive".

I believe that:

• The above definition Is deleterious to our goals of openness and transparency

• Unfortunately, your colloquial definttion is broadly used within the NRC That is, it is my experience that most SUNSI rnalt:11c:1I is 111c:11 kt:d lhat way be1.,-ause if it *i:Jµµec1recJ on the front µi:Jgf:J or (he Washingto11 Posr it would make us cringe.

I'm not the only NRC employee who has been asking these questions. How we determine SUNSI is a concern shared by several of my colleagues.

Larry Lawrence S. Criscione 573-230-3959 From: l(b)(7)(C) I Sent: Wednesday, February 18, 2015 3:48 PM To: Criscione, Lawrence Cc: Peters, Sean; Madden, Patrick SUbject: RE: OIG case 13-001 and OUO-SRI

Larry, Turns our 01S Is the agency lead for SUNSI (that Includes OUO SRI). They sent me this link:

htt ://www.internal.nrc. ov/sunsi/securi .html as a source of information. Please take a look at the information at the link and let me know if it has the information you are seeking .

Regards (b)(7)(C)

From: Criscione, Lawrence Sent: Thursday, February 12, 2015 11:28 AM 9

To: ._l(b)(7)(C)

Subject:

RE: OIG case 13-001 and OUO-SRI Thanksl(b)(?)(C)

Daniel Cardenas referred me lo Admin but did not give me the name of a contact.

From: l(b)(7)(C)

Sent: Thursday, February 12, 2015 9:08 AM To: Criscione, Lawrence subject: RE: OIG case 13-001 and OUO-SRI Let me make some phone calls Larry (b)(7)(C)

From: Criscione, Lawrence Sent: Wednesday, February 11, 2015 1:48 PM To: !(bl(7)(Cl I

Subject:

OIG case 13-001 and OUO-SRI l(b)(7)(C)

Attached is the transcript from your 2012 Interview with OIG concerning Case 13-001 It was provided to me as part of a Privacy Act request and I'm sending it along to you in case you would like a copy.

Please see my email below to (b)r71( l I still have a lack of understanding on OUO..SRI, mostly stemming from the fact that-un I e an c assified information-it (1) is not portion marked, (2) has no derivative classifiers, and (3) is applied to such broad topics that it has no well-defined need-to-know (e.g. who has a need-to-know about the Oconee flooding issues? Is it only the narrow set of NRR employees addressing it? Or is it any concerned NRC employee who might have an opinion that adds to the discussion?).

V/r, Larry From: Criscione, Lawrence Sent: Wednesda February 11, 2015 1 :37 PM To: (b)(7)(C)

Sub ect: OIG case 13-001 l(b)(7)(C)

Attached is the transcript from your 2012 interview with OIG concerning Case 13-001 . It was given to me as part of a Privacy Act request and I'm sending it along *to you in case you would like a copy The investigation for Case 13-001 closed on September 11 , 2013 10

As part of the resolution to the PEER v. NRC lawsuit. the on September 13, 2013 the NRC publicly released the two documents which were the subject of the NRC Form 183 security incident which was flied against me on September 20, 2012. Those documents can be found at:

http://pbadupws.nrc.gov/docs/ML1325/ML13256A372.pdf http://pbadupws.nrc.gov/docs/ML 1325/ML13256A370.pdf The only redactions to those documents are my home address, my cell phone number and my personal email account. This indicates-to me-that I was not in error when I failed to mark these documents as Official Use Only - Security-Related Information".

Given that OUO-SRI documents are not portion marked, I still have no understanding of:

1 How I am to determine what exactly in those documents is OUO-SRI

2. How-when I am preparing a downstream document which references information found in OUO-SRI documents-I am to determine the final designation of my document and who the authority is if I have questions

3. To whom do I appeal if I do not agree with the OUO-SRI designation of a document 4 . How to determine who has a "need to know* with regard to OUO-SRI information R,

Larry From: Criscione, Lawrence Sent: Tuesday, June 10, 2014 9:27 AM To: Correia, Richard; Weber, Mlchael; Sheron, Brian; Madden, Patrick; Peters, Sean; Sulllvan, Randy; Burrows, Sheryl; ODonnell, Edward

Subject:

Who Determines Need-to-Know?

Thanks Rich.

I'd like to clarify though that even if we have a precise definition, a large part of my concern is "Who determines need-to-know?"

For example, if I am confident that a document marked "Not for Public Disclosure* can go to a congressional office, can I send it to them or must I first go through OGC and OCA?

Or, if I am confident that an INL contractor has a need to know proprietary information we got from INPO, can I directly send it to him or do I first need to consult with my supervisor, the NRC owner of the INPO MOU, OGC.

etc.?

From: Correia, Richard Sent: Tuesclay, June 10, 2014 7:02 AM To: Criscione, Lawrence; Weber, Michael; Sheron, Brian1; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward

Subject:

RE: Need Assistance from RES and NTEU

Larry, I contacted folks in the Information Security Branch of NSIR and they pointed out that wneed to know" is. defined in 10CFR73.2 for handling safeguards information. I'm not certain if it would have a similar definition for SUNSI. I'll follow up with OGC on whether need to know has a definition for SUNSI.

Rich 11

Richard Correia. PE Director, Division of Risk Analysis Office of Nuclear Regulatory Research US NRC richard.correia@nrc.gov From: Criscione, Lawrence Sent: Monday, June 02, 2014 5:50 PM To: Weber, Michael; Sheron, Brian; Correia, Richard; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward

Subject:

Need Assistance from RES and NTEU Please see my October 25, 2012 email below to Dan Cardenas. I've highlighted several questions in that email which I never received answers to.

On October 25, 2012 I was directed to review our SUNSI guidance and to discuss it with the chief of the Facilities Security Branch. I reviewed the guidance but had some questions which, 19-months later, I still do not know the answers to.

I would like the assistance of RES management and the NTEU in obtaining answers from Mr. Cardenas. I believe I am not the only one at the NRC who is unclear as to what exactly constitutes a "need to know' and "conducting official government business*. Better clarifying these terms, especially with regard to OIG Case 13-001 which led to a criminal referral to the Department of Justice, is in the interest of the NRC staff.

If you have advice for me as to how to obtain answers from the requisite SUNSI experts, please let me know.

Thank you, Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence Sent: Monday, June 02, 2014 5:35 PM To: cardena,s, Daniel; Ross-Lee, MaryJane Cc: Beasley, Benjamin; Peters, Sean; Correla, Richard; Sullivan, Randy; NTEU, Chapter 208; Burrows, Sheryl

Subject:

FW: Questions

Dan, Attached to this email is a document entitled "Exhibit 3 to OIG Case 13- ~.J.u.WIII.'-', received today in response to FOIA 2014-0236. The memo is undated. Could either you or 1bY7)1Cl please tell me the date on which i(b)(7)(C) !sent this memo to !(b)(7J(GJ P. Was it before or after our correspondence in the email trail below On February 4, 2013 agents of the NRC's Inspector General approached the Assistant US Attorney's office in Springfield, IL and requested of them that I be indicted on federal felony charges (18 USC §1030) for obtaining supposed security-sensitive information from a government database (i.e NRC Internal ADAMS) and supposedly colluding to distribute that information to the public (e.g. via a Congressional hearing). The Information of concern was my September 18, 2012 letter to the NRC Chairman, the email distributing it, and the nine reference documents. These are the same documents of concern in our email trail below.

u

In an October 25, 2012 email (included immediately below) I asked you a series of questions regarding MD 12.6, various guidance you directed me to review (found at http:/Jwww.internal.nrc.gov/sunsiD, and an explanation of what exactly constitute *need to know" and "conducting official government business". I have highlighted those questions in the email below. The documents attached to this email refer to some of those questions.

I never received any answers to the questions I posed to you 19 months ago in the email below. And after being the subject of an OIG criminal Investigation for the distribution of supposed security related documents to individuals without a supposed *need to know", I still do not know the answers to the questions I pose below.

OIG Case 13-001 has been closed for over 9 months. Please provide me answers to my questions below as I am still uncertain what exactly I can and cannot share with our Congressional overseers and the precise channels I am required to follow I look forward to your answers.

Thank you.

Larry Lawrence S . Criscione 573-230-3959 From: Criscione, Lawrence Sent: Thursday, October 25, 2012 9:37 PM To: cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sulllvan, Randy

Subject:

Questions Dan, I have some questions regarding the guidance on the 01S SUNSI website and MD 12.6.

ttl) ln the attached document "2005-10-26 guidancc.pdF I've highlighted a sentence stating that portion markings are not required. However, In the document "2010-04-27 guidance.pdf' I've highlighted where it states:

When Is portion or page marking required? On documents .that may be released following redaction of sensitive information. If an entire page Is not sensitive, place marking adjacent to the sensitive information.

I am a big believer !n portion markings. It frustrates me to no end that none of the 2008-2012 OUO correspondence between the NRC and Duke Energy regarding Jocassee Dam Is portion marked. This correspondence clearly meets the Instructions above for requiring that the documents be portion marked. That is, the overwhelming majority of the pages in the NRC/Duke correspondence have portions that are not sensitive and this NRC correspondence with a licensee concerning a serious safety concern should certainly be released foflowlng redaction of sensitive information. Yet there are no portion markings. Which guidance is correct: the 2005-10-26 or the 2010-04-27 guidance? Should NRR's correspondence with Duke Energy from May 2010 through the present have been portion marked?

1. 2) On page 2 of the attached "NRC Policy for Handling Marking and Protection SUNSl.pdf" I have highlighted a paragraph on "Need-To-Know Access". This paragraph contains the words:

"... no person, including employees of the U.S. Government, NRC, ....... may hove access to SUNS/ unless that person has an established need-to-know the information for conducting official business."

I am unclear what exactly constitutes "on established need-to-know the information for conducting official business."

Some of my co-workers (particularly Richard Perkins, but many others as well) expressed concern to me that flooding issues at Oconee Nuclear Station and Fort Calhoun were not being adequately addressed. Although it is my job (and the 13

job of al I NRC employees) to take allegations from licensees, I do not believe it is my job (i.e. "conducting official business") to take allegations from my fellow NRC co-workers. Nonetheless, I reviewed some of the source documents regarding Jocassee Dam because I was concerned with the opinions I was hearing expressed from my co-workers. It was not my job to review these documents. Most of the review of these documents occurred after normal working hours, including times when - although allowed to be In the office or on Citrlx - I am not allowed to formally work (I.e. beyond 8 pm, Sundays, while using annual leave/credit hours). Since I was reviewing this Information on my own time and not "for conducting official business", was I violating the uNeed-to-Know".

Although I have only shared SUNSI with "employees of the U.S. Government", I am not certain all of them had "on established need-to-know the in/ormotion for conducting officio/ business":

• Does a staffer on the Senate Committee on Homeland Security & Governmental Affairs have "an established need-to-know the Information for conducting officio/ business"? If he does, must I send him through the Office of Congressional Affairs? Am I violating "Need-to-Know" by directly sending him reference!> he requested?

• Does the intern for Representative Duncan of South Carolina's 3rd congressional district have "on established need-to-know the Information for conducting o/ficlal business" when she Is not Investigating any matter for a congressional oversight committee and I am merely copying her as a courtesy to keep her representative abreast of a concern regarding a nuclear plant in his district?

• Does the Office of the Special Counsel have "an established need-to-know the Information for conducting officio/

business" when the information is not being formally submitted with an OSC Form 127

• Does the Downstate Director (i.e. Springfield, IL office chief) of Senator Durbin have "an established need-to-know the information for conducting official business when I am merely meeting with him to get his advice as to whether or not my senator would be willing to write the NRC Chairman regarding the NRC's SUNSI policies?

1. 3) Assuming that the US Special Counsel or a congressional staffer has "an established need-to-know", I am uncertain as to what is required by the "Access" requirements on page 5 of Part II of MD 12.6. Prior to sharing SUNSI wilh the US Special Counsel or congressional staffers, before providing the information must I first consult the three parties listed In MD 12.6:

• NRC office originating the information

• Office that has primary interest in the information

• Source from which the information was derived 114) If I am writing a letter regarding how the Office of Nuclear Reactor Regulation is inappropriately stamping safety-related correspondence as "Security-Related Information", and if I am sending that letter to the US NRC Chairman and copying It to concerned congressional offices, and if I do not believe that marking the letter Is essential to ensure proper handling and to ensure all persons having access to the letter will be aware that it (1) must not be publicly released and (2) must be distributed only to those who have a need-to-know to conduct official business, then am I in violation of MD 12.6 because I did not stamp the letter HOfficlal Use Only - Security-Related Information"?

I was asked by a congressional staffer last month whether I believed the "Security-Related Information" stamps were hindering the open discussion of the Jocassee Dam/Oconee issue amongst the NRC staff. His co nee rn was based on the fact that some of NRR's Jocassee Dam correspondence contain the stamp "Limited Internal Distribution Permitted. My answer to him was that, although I believed these stamps were inappropriately keeping a serious safety concern from public scrutiny, these markings were not In any way hindering the professional internal discussion of concerns regarding Jocassee Dam. Based on what I have read in MD 12.6 tonight, I do not know if I still agree with that answer. When possible, I would like to meet with you regarding the four questions above. Also, I have had people within the NRC request to see my 2012-09-18 letter to the chairman but I have been unwilling to share it with anyone since being told I was violating SUNSI guidance by not properly stamping it QUO - SRI. I would like to review that letter with you and get your assessment as to how it should be stamped.

R, l4

La rry From: Criscione, Lawrence Sent: Thursday, October 25, 2012 5:50 PM To: Cardenas, Daniel

Subject:

RE: Information Release The version of MD 12.6 that is linked to in the SUNSI website is from December 20, 1999. Is this the version I am supposed to review or is there a more current revision?

From: cardenas, Daniel Sent: Thursday, October 25, 2012 5:39 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonneJI, Edward; Sulllvan, Randy SUbject: Re: Information Release Larry-If you have read and understand the SUNSI guidance, then a meebng may not be necessary. I will contact you if a meeting is necessary. In regards to transmission of SUNSI outside the NRC, please contact your supervisor as Identified in MD 12.6 and follow applicable guidance located on the 0 1S SUNSI website.

Regards.

Dan

~Sent from an NRC Blackberry -

Daniel Cardenas, Chief Facilities Security Branch Division of Facllftles and Security Office of Administratlon U. S. Nuclear Regulatory Commission Office Email: DanieLCardenas Office Number: ~301 ) 415-6184 Cell Number !(b (6) I Fax Number: (301) 415-5132 From: Criscione, Lawrence To: Cardenas, Daniel Cc: Beasleyr Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sulllvan, Randy Sent: Thu Oct 25 17:31:31 2012

Subject:

RE: Information Release

Daniel, My Outlook calenda r Is up to date through the end of the year. I should be able to review M O 12.6 and the other guidance by tomorrow morning.

The only personnel outside the NRC to whom I have provided "Official Use Only- Security Re late d Information" are either with the Office of the Special Counsel, staffers of US Senators or staffers of members of the US House of IS

Representatives. I will not release any additional information to the Office of the Special Counsel or to members of the US Congress until I have met with you.

Please send me a copy of the NRC Form 183 mentioned below so that I may review it prior to our meeting.

Is my union steward allowed to accompany me to the meeting?

V/r, Larry Criscione 573-230-3959 From: Cardenas, Daniel Sent: Thursday, October 25, 2012 5:01 PM Toe Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-lee, MaryJane; Pretzello, Andrew; Skidmore, Karen

Subject:

Information Release Importance: High Mr. Criscione-I have received a NRC Form 183 " Report of Security Incident" indicating that you have released information (Official Use Only - Security Related Information, etc) to personnel outside of the NRC. This release of information must "stop" immediately. The guidance for handling Sensitive Uncla1sslfied non-Safeguards Information (SUNSI) Is identified In MD 12.6 and on the 01S webpage. Please see the following link, which provides detailed information on the handling of this type of information.

http://www.lnternal.nrc,gov/sunsl/

If you have released any other information, you must cease these activities, and report the releases to the Director, Division of Facilities and Security.

Please schedule a time to discuss this matter with me.

Regards.

Oanlcl CardtnBJ Chief, Fucihtics Security Branch Division ofFacihrics and Security, Office of Admimsm1uon Location: T6-E3 I OOicc !:mall. D1t111cl.CerdenaSJ.!.Oro,LOV Otlicc Number: 301 415-6184 NRC Blackberry"rlb_,.6 NRC Fax: (301) I

• l 16

From: Janney, Margie Sent Thursday, May 26, 2016 12:41 PM To: Gagnon, Ronald Cc: Rheaume, Cynthia; Le, Hong

Subject:

FW: Who Determines Need-To- Know for OUO?

Importance: High Follow Up flag: Follow up Flag Status: Flagged

Ron, At this morning's ET/Division Directors meeting, both Jim and Fred requested that you consult with OIG to provide additional information to clarify to Larry about your answer to hrs third question.

Please see Cindy or Jim 1f you need more explanation Thank you,

-Margie Marg e Janney CRM/NS Chi f, IT/IM Polley Br nch IT/IM Portfolto Management and Planning Div1s10n Office of the Chier Inform tlon Officer U S. Nuclear Regulatory Commlss on 301-415-7245 marale.lann y@nrc.gov From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:23 PM To: Criscione, Lawrence Cc: Janney, Margie ; Flanagan, James ; Carpenter, Cynthia ; le, Hong ; Chen, Yen-Ming ; Hackett, Edwin ; Correia, Richard

Peters, Sean ; Heard, Robert; Schwartz, Marla ; NTEU, Chapter 208 ; Weber, Michael

Subject:

Who Determines Need-To-Know for OUO7 Mr. Criscione:

You inquired regarding the following:

1. Are bargaining unit employees allowed to discuss SUNSI (i. e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?

2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?

3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

4. If so, who makes that determination?

Question 1: Are bargaining unit employees allowed to discuss SUNS/ (i.e. informatlon that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?

Reply: INRC SUNSI Policy clearly states that ... "except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the Information for conducting official business." See below:

NRC Policy For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards lnfonnation section D( 2) - Need to know access See: http:l/www.internal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business.

Question 2: If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?

Reply: The NRC recently published a yellow announcement addressing this issue. See https://drupal.nrc.gov/announcements/yellow/policy/23578 Yellow Announcement YA 16-0052 defines "Need to Know" in the context of sensitive unclassified information.

See Below:

Need-to-Know 1 A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.

2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.

Question 3: Is there any SUNS/ material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Spec/al Counsel?

Reply: The NRC's Office of Congressional Affairs {OCA) {see MD 9.13) is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance to the Chairman, the Commission, and tlhe NRC staff on all NRC relations with the Congress. Specifically, the office-

• Provides the Chairman. the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EOO, and the NRC staff with members of Congress, their committees, and their staffs.

• Serves as the liaison with the NRC oversight committees, other congressional committees, as appropriate, and individual members of Congress with respect to matters of interest and concern to NRC.

• Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.

2

• Transmits routine communications to Congress, including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a routine nature; prepares direct responses to routine congressional requests and inquiries, when appropriate and with the concurrence of the EOO.

• Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.

• Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations reg!Jrding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.

• Monitors all legislative proposals, bills, congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.

• Participates in planning and developing NRC's legislative program in close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.

• Represents the Commission, as appropriate, In conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representatives before congressional committees.

• Coordinates internal NRC activities and arrangements for visits, tours, notifications. presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.

• Performs any other functions assigned by the Chairman.

Question 4: If so, who makes that determination?

Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.

Please let me know if you have additional questions or concerns.

Ronald E. Gagnon SUNSI / CUI Program Manager Office of tine Chief Information Officer IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 3

From: Gagnon, Ronald Sent: Wednesday, May 25, 2016 3:06 PM To: Janney, Margie Cc: Flanagan, James; Carpenter, Cynthia; Le, Hong; Chen, Yen-Ming

Subject:

RE: Who Determines Need-To-Know for OUO?

Attachments; RE: Need-to-Know reauirements for SUNS); DCPD-201300092.od.odf The 1st attachment is an This 2nd attachment is publicly available at Follow Up Flag: Follow up email string beginning with https://obamawhitehouse.archives.gov/the-Flag Status: Flagged Mr. Criscione's 03-03-15 8:51 press-office/2013/02/12/fact-sheet-presidential AM that appears in the next -policy-directive-critical-infrastructure-security.

record.

Margie, Mr. Criscione is asking the following:

1. Are bargaining unit employees allowed to discuss SUNSI (1.e information that Is neither unclassified nor Safeguards} with any colleague whose opinion they so choose to seek?

2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?

3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

4 . If so, who makes that determination?

Question 1: Are bargaining unit employees allowed to discuss SUNS/ (I.e. information that Is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?

Reply: NRC SUNSI Policy clearly states that ... *except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business: See below:

NRC Policy For Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information section D( 2) - Need to know access See: http://www.internal.nrc.gov/sunsi/pdf/S UN SI-Policy-Procedures.pdf Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government. NRC , an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business.

Question 2: If not, how Is the need*to-know determined? That Is, how Is an employee to determine which colleagues cannot know of SUNS/ nuclear safety concern?

Reply: The NRC recently published a yellow announcement addressing this issue. See https://drupal.nrc.gov/announcements/yellow/policy/23578 Yellow Announcement YA 16--0052 defines "Need to Kno in the context of sensitive unclassified information.

See Below:

Need.to-Know

1 A determination by a person having responsibility for protecting or holding the sensitive information, be it classtfted information, safeguards information, or sensitive unclassified Information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.

2. Knowledge, possession of, or access to, sensitive information including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.

Question 3: Is there any SUNS/ material which N.RC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

Reply: The NRC's Office of Congressional Affairs (OCA) (see MD 9.13) is tasked with communicating with Congress on behalf of the NRC. The office is responsible for administering the agency's Congressional Affairs Program, and for providing advice and assistance t,o the Chairman, the Commission, and the NRC staff on all NRC relations with the Congress. Specifically, the office-

• Provides the Chairman, the Commission, the Executive Director for Operations (EDO), and the NRC staff with advice and counsel concerning relations with Congress; keeps NRC currently and fully informed on the views of Congress toward NRC policies, plans, and activities; and pursuant to Section 303 of the Atomic Energy Act of 1954, as amended, keeps Congress currently and fully informed of NRC's policies, plans, and activities. Coordinates all official contacts for the Chairman, the Commission, the EDO, and the NRC staff with members of Congress, their committees, and their staffs.

• Serves as the lialson with the NRC oversight committees, other congressional committees, as appropriate, and Individual members of Congress with respect to matters of interest and concern to NRC.

• Serves as the contact point for all NRC communications, written and oral, with the Congress; routinely receives copies of all correspondence from members of Congress and congressional committees except for those of a personal nature and those addressed to the Office of the Inspector General; provides for the prompt acknowledgment of this correspondence, as appropriate; reviews and concurs in all NRC responses and other outgoing communications to members of Congress and congressional committees, with the exception of matters within the cognizance of the Inspector General, and coordinates all financial information with the Deputy Chief Financial Officer/Controller before release.

• Transmits routine communications to Congress, Including notifications of proposed rulemakings, new and revised regulatory guides, announcements of regulatory actions, studies, reports, public documents, and other items of a routine nature; prepares direct responses to routine congressional requests and 1inquiries, when appropriate and with the concurrence of the EDO.

• Coordinates internal NRC activities that bear directly on NRC relations with Congress including, but not limited to, all hearings and attendance before the Congress by all NRC personnel, drafting testimony, editing hearing transcripts, and preparing supplemental materials, correspondence, and announcements.

• Transmits classified documents to Congress in accordance with NRC security directives and procedures and congressional regulations regarding the transmission of classified material. Transmits documents that are not publicly available (unclassified) with a special cover letter.

• Monitors all legislative proposals, bills. congressional hearings, debates, and other activities of potential interest and concern to NRC and advises the Chairman, the Commission, and the NRC staff, as appropriate.

• Participates in planning and developing NRC's legislative program In close cooperation with the Office of the General Counsel (OGC), coordinates with OGC concerning responses to legislation submitted to the NRC for comment, and coordinates legislative liaison in financial management activities with the Chief Financial Officer or the Deputy Chief Financial Officer/Controller, as appropriate.

• Represents the Commission, as appropriate, in conferences and meetings with members of Congress and their staffs and arranges for appearances for NRC representa ives before congressional committees.

• Coordinates internal NRC activities and arrangements for visits, tours, notifications, presentations, briefings, and other activities with individual members of Congress or congressional committees and their staffs to inform them more fully of the role and activities of NRC and significant events. Develops and establishes records, policies, and procedures necessary for the effective conduct of NRC relations with Congress, and provides for monitoring the status and timeliness of NRC's responses to congressional correspondence.

• Performs any other functions assigned by the Chairman.

2

Question 4 : If so, who makes that determination?

Reply: See the Office of Congressional Affairs and Office of General Council regarding communications with Congress.

Please let me know if you have additional questions or concerns.

Ronald E. Gagnon SUNSI / CUI Program Manager Office of the Chief Information Officer IT/IM Polley Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mall Stop O-6H 11 Rockville, MD 20852 Office: 301-415-6873 From: Janney, Margie Sent: Wednesday, May 25, 2016 11:41 AM To: Gagnon, Ronald Cc: Flanagan, James ; Carpenter, Cynthia ; Le, Hong ; Chen, Yen-Ming

Subject:

FW: Who Determines Need-To-Know for OU07 Ron.

Assuming he has asked the same questions as last time, I suggest you answer Larry with a reference back to that answer. Note he refers to you in his March 3 email below.

-Margie Margie Janney. CRM/NS Chief. IT/IM Pohcy Branch ITl1M Portfolio Management and Planning OMst0n Office of the Chief lnfonnallon Officer U.S Nuclear Regulatory Commission 301-41 5-7245 margJe iannev@nrc gov From: Flanagan, James Sent: Wednesday, May 25, 2016 11:32 AM To: Carpenter, Cynthia <Cvnthia.Carpenter@nrc.gov>; Le, Hong <Hong.Le@nrc.goV>; Janney, Margie

<Margie.Jan,ney@nrc.gov>

Cc: Chen, Yen-Ming <Yen-Ming.Chen@nrc.gov>

Subject:

FW : Who Determines Need-To-Know for OUO?

Cynthia, Hong and Margie.

Can we answer these questions or can we direct the individual to the party that can answer them?

Regards, 3

James P. Flanagan Deputy, Chief Information Officer Office of the Chief Information Officer United States Nuclear Regulatory Commission One White Fltnt North 11555 Rockville Pike, Mail Stop 0-6E7A Rockville, MD 20852-2738 Telephone 301-415-8700 James. Fla nagan@nrc.gov From: Carpenter, Cynthia Sent: Wednesday, May 25, 2016 11:18 AM To: Criscione, Lawrence <Lawrence.Criscione@nrc.gov>; Weber, Michael <Mlchael.Weber@nrc.gov>

Cc: Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, 'Richard <Richard,Correia@nrc.gov>; Peters, Sean

<Sean.peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Marla <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>

Subject:

RE: Who Determines Need-To-Know for OUO?

Larry Please contact OCIO regarding your questions. Controlled Unclassified Information (i.e . currently SUNSI) falls under their area of expertise. If it were SGI or classified, it would be NSIR. I don't know who in OCIO has the lead for this , but I would start with the FOIA, Privacy and information collections branch.

From: Criscione, Lawrence Sent: Wednesday, May 25, 2016 8:57 AM To: Weber, Michael <Michael.Weber@nrc.gov>; Carpenter, Cynthia <Cynthia.Carpenter@nrc,goy>

Cc: Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correia, Richard <Richard.Correia@nrc.gov>; Peters, Sean

<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Marla <Maria.Schwartz@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>

Subject:

RE: Who Determines Need-To-Know for OUO?

Mike/Cynthia, Yesterday the agency published a Yellow Announcement on Need-to-Know (ML16111A432) which-in my opinion-was not very informative. I still have the following questions regarding Need-to-Know as it pertains to nuclear safety issues marked as SUNSI (I have always had a very clear understanding regarding Need-to-know as applied to classified information and SGI)*

1. Are bargaining unit employees allowed to discuss SUNSI (i e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?

2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?

3. Is there any SUNSI material which NRC employees are prohibited from providing to Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

4

4. If so, who makes that determination?

Thanks, Larry Lawrence S. Criscione RES/DRA/HFRB From: Criscione, Lawrence Sent: Thursday, April 28, 2016 5:39 PM To: Weber, Michael <Michael.Weber@nrc.gov>; NTEU, Chapter 208 <NTEU@nrc.gov>

Cc: Hackett, Edwin <Edwin.Hackett@nrc.gov>; Correla, Richard <Richard.Correia@nrc.gov>; Peters, Sean

<Sean.Peters@nrc.gov>; Heard, Robert <Robert.Heard@nrc.gov>; Schwartz, Maria <Maria.Schwartz@nrc.gov>;

Campbell, Andy <Andy.Campbell@nrc.goV>; Bley, Dennis <Dennls.Bley@nrc.goV>

Subject:

Who Determines Need-To-Know for OUO?

Mike/Sheryl, As can be seen from the email trail below, I have been trying to get an answer to the handling of Official Use Only Information for quite some time.

Attached Is a letter I received last week from the US Office of Special Counsel (OSC). In the letter it is stated that the OSC has referred my disclosure regarding the agency's failure to adequately address flooding from dam failures to the NRC Chairman for investigation and report It is not yet known by me whom the Chairman intends to assign to investigate my concerns.

In anticipation of potentially meeting with the Chairman's assigned investigator, over lunch today I met with seven colleagues from RES, NRR and NRO to discuss outstanding flooding concerns. At that meeting I was informed that certain supervisors in NRO have deemed certain flooding information and studies as sensitive information subject to strict need-to-know restrictions.

That is, my NRO colleagues told me they had to talk around certain concerns because I-and others present-were not formally assigned to work on those issues and to know those concerns.

Please note that none of the issues were related to nuclear security. These issue pertained entirely to nuclear SAFETY issues (e.g. Probabilistic Maximum Precipitation estimates for certain sites, flood inundation levels.

etc.).

Please also see the attached OCWE flyer from Bill Borchardt.

To me, the restrictions placed on the NRO staff directly contradicts the work environment purported by Mr Borchardt.

But it is much worse than that One of the NRO staff informed me that she might not be able to discuss some of her specific flooding concerns with the Chairman's investigator since the issues could only be shared with those with a need-to-know.

Think about that for a minute. The staff of the NRC supports the work of the Commission. The President appoints the Chairman of the Commission The President appoints the Special Counsel. The Special Counsel has directed the Chairman to furnish a report to her within 60 days regarding my flooding concerns so that she might forward the Chairman's investigative results on to the President. Yet NRO management has their staff so rattled and confused regarding *need-to-know" surrounding flooding concerns that a staff member is concerned that she cannot even discuss those issues with the Chairman's investigator That's messed up. Waaaaaay messed up.

s

Today, I also found out that the Advisory Committee on Reactor Safeguards needed to agree to a Memorandum of Understanding (MOU) prior to being allowed to see certain flooding information.

Think about that for a minute. This is unclassified information. It is not safeguards. None of it has any value in determining how to breach a dam. These studies were done at the request of the NRC to aid in determining how dam failures wlll affect the viability of reactor plants. Yet the Advisory Committee on Reactor Safeguards cannot automatically see these studies?????

I would appreciate It if I could get a definitive answer from Mike to the following.

Are bargaining unit employees allowed to discuss SUNSI (i.e. information that is neither unclassified nor Safeguards) with any colleague whose opinion they so choose to seek?

2. If not, how is the need-to-know determined? That is, how is an employee to determine which colleagues cannot know of SUNSI nuclear safety concern?

3 Is there any SUNSI material which NRC employees are prohibited from providing to, Congressional Oversight Committees and/or to staff of the US Office of Special Counsel?

4. If so, who makes that determination?

I recognize PII, allegation material, attorney/client privilege all fall under some definition of SUNSI. But in lieu of a better term, I am using SUNSI to refer to nuclear safety related information that is, for whatever reason, not public information. I am not at all confused on the prohibition of sharing PII, allegation material, attorney-client privilege, etc. so please restrict your answer to SUNSI that pertains solely to nuclear safety.

Please answer my questions directly. As can be seen below, I have for several years been bounced around between various NRC offices, web pages, 10 CFR references, and obtuse Management Directive references that do not address these questions.

This is an issue that gravely affects the Safety Culture of this agency. Imagine an individual with concerns regarding the flooding evaluation at Oconee being told that he cannot discuss the matter with fellow colleagues in his branch because they have no "need-to-know". Imagine the stress of being told by your superiors to sign off on an evaluation and not being able to discuss your concerns with your trusted peers. These are not hypotheticals; they have happened and are happening.

I would appreciate it from Sheryl 1f she would assist me in getting answers to my questions above. This is an NRC Issue not a RES issue (in fact, to my knowledge, there is nothing in RES restricted to a "need-to-know").

To me, this should be brought up at the ALMPC.

I am not saying there is no guidance. As can be seen from the email trail below, there is plenty of guidance It's Just not in a form that can be applied I would like the NRC to go on record stat.mg that there are certain SUNSI documents that cannot be supplied to Congress and the OSC or confirming that there are no prohibitions against providing SUNSI documents to Congress and the OSC And I would like the NRC to go on record stating that all employees can view discuss SUNSI nuclear safety concerns with their peers or confirming that there are certain prohibitions against sharing SUNSI material with peers not directly assigned to work on those materials.

V/r, Larry Lawrence S. Criscione RES/DRNHFRB 573-230-3959 From: Criscione, Lawrence Sent: Tuesday, March 03, 2015 10:41 AM 6

To: Correia, Richard <Richard.Corr~ia@nrc.gov>; West, Steven <Steven.West@nrc.gov>; Peters, Sean

<Sean.Peters@nrc.gov>

Subject:

Management's Credlbllity There has been much discourse on this SUNSI issue both via email and in cubicle and cafeteria conversations.

Much of it is stated less professionally and more cynically than Ed's email below. Ed's mention of a DPO is a sarcastic reference to one of Ron's responses; no one is going to waste their time attempting to address any of these items with a DPO.

Just because most of your staff is focused on doing their jobs and do not wish to ruffle anyone's feathers, please don't think that there are only two people (i.e. me and Richard Perkins) complaining about this. This has been a long-standing complaint amongst certain personnel at NRR long before I was ever hired at the NRC-my involvement in this issue came as a result of their complaints to me. And there is widespread dissatisfaction in RES regarding these matters and how our management has avoided addressing them.

There might be a large contingent of managers and staff who resent

• open government*, but there is a very concerned contingent of technical staff who are appalled at what we are not allowed to share with the public.

And they are equally appalled by the lack of professionalism that has gone into resolving this issue. We expect our leaders to lead and not to politically avoid the difficult questions they are well-paid to confront. Balancing open government and SUNSI is one such issue.

Ron Gagnon is the supposed SUNSI expert for the agency and it is his determination that many of these questions are the prerogative of the office. I say we run with that determination. I say that in the absence of agency ownership of SUNSI, we take ownership of the SUNSI policies for our office. If you would like me to (and if Sean will allow me time to work on it), I can draft some guidance on how to determine what is SUNSI, how to apply "need-to-know" and how to conduct "portion-marking".

I know Brian believes SUNSI 1s owned by ADM, but ADM-and specifically the SUNSI lead In ADM-believes that specific SUNSI guidance (vice the broad policies put out by ADM in MD 12.6) is the prerogative of the individual offices. This makes sense. Understandably ADM does not feel comfortable writing prescriptive guidance for NRR, RES, etc. We know our work and should be the ones translating the high-level ADM SUNSI policies into workable prescriptive guidance for our people.

V/r, Larry From: ODonnell, Edward Sent: Monday, March 02, 2015 1:53 PM To: Orr, Mark; Barr, Jonathan; Criscione, Lawrence

Subject:

FW: Need-to-Know requirements for SUNSI The answers leave one hanging. Perhaps a differing profess ional opinion should be invoked regarding them.

1 From: Gagnon, Ronald Sent: Monday, March 02, 2015 1:49 PM To: Criscione, Lawrence Cc: Janney, Margie; Correia, Richard; Sullivan, Randy; Perkins, Richard; Bensl, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; cardenas, Daniel

Subject:

RE: Need-to-Know requirements for SUNSI

Larry, Please see my replies adjacent to your questions.

7

Thank you, Ron Ronald E. Gagnon OIS / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: Criscione, Lawrence Sent: Friday, February 27, 2015 3:23 PM To: Gagnon, Ronald Cc: Janney, Margie; Correia, Richard; Sullivan, Randy; Perkins, Richard; Bens!, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulnlers, David; ODonnen, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; Cardenas, Daniel

Subject:

RE: Need-1:!rKnow requirements for SUNSI Thanks Ronald. I've copied some colleagues on this email so they can see your answer below and so that they might contact you if they have their own questions about it.

I've highlighted two items below that are still unclear (subject matter expert and need-to-know determination):

1.a) Who are the subject matter experts for flooding and dam failures? Check with your office leadership.

1.b) What document designates them as such? Check with your office leadership.

1.c) What guidance do they use to determine what is sensitive and what is not? Check with your office leadership, (reference internal NRC SUNSI. SGI, Classified guidance).

1.d) If you disagree with their determination, is there an appeal process?

As you probably already know, NRC has a mechanism in place where differing professional opinions can be discussed and resolved. The NRC Differing Professional Opinions Program, Management Directive 10.159 states the following objectives: To foster informal discussions with peers and supervisors on issues involving professional judgments that may differ from a currently held view or practice, To establish a formal process for expressing differing professional opinions (DPOs) concerning issues directly related to the mission of NRC, To ensure the full consideration and prompt disposition of DPOs by affording an independent, impartial review by knowledgeable personnel, To ensure that all employees have the opportunity to (a) express DPOs in good faith, (b) have their views heard and considered by NRC management, and (c) be kept fully informed of the status of milestones throughout the process, To protect employees from retaliation in any form for expressing a differing opinion, To recognize submitters of DPOs when their DPOs have resulted in significant contributions to the mission of the agency, To provide for agency-wide oversight and monitoring, to ensure that implementation of these procedures accomplishes the stated objectives, and to recommend appropriate changes when required.

2.a) For SUNSI, do we (i.e. the technical staff) need to obtain our supervisor's permission prior to sharing information with a Congressional office? This question is outside the scope of SUNSI. Please check with your leadership for official NRC policies regarding communications with Congress. The Office of Congressional Affairs should be able to articulate current policies regarding this question.

2.b) For SUNSI that is related to nuclear safety issues or to agency policies on applying FOIA redactions (i.e. not PII, allegation material, or other highly specific forms of SUNSI that have nothing to do with 8

typical NRC correspondence and reports) do we need our supervisor's permission prior to discussing the information with our NRC colleagues who are not formally assigned to work on the issue? That is, cam I share nuclear safety information with my NRC co-workers even though that information has been designated SUNSI and they have not been formally assigned to work on the issue? Please check with your leadership and the FOIA office (if you have a FOIA redaction question). As you are aware, in addition to having authorized access to SUNSI information there is a need to know component to SUNSI. In order to allow access to another party, an authonzed holder of SUNSI information must make a determination that a prospective recipient requlfes access to specific information to perform or assist m a lawful and authonzed governmental function.

2.c) If I can get to it in ADAMS, can I assume I have a de-facto right to know 1t? Perhaps, but not exclusively. For example, if a document has been mistakenly categorized I entered into ADAMS it does not give an employee the right to view or d1stnbute 1t without the proper access credentials. If a government employee came across a class1f1ed document on-line through a Google search, that government employee 1s not authorized access unless they have the proper clearance and need to know, even though the document is easily available to anyone searching for ,t. If not, how do I determine that I have accessed a document that I have no right to see and to whom do I report 1t? One way to report a document sptll would be by adv1s1ng your supervisor and accessing the following hnk:

http://www.internal.nrc.gov/inc1dent.html {please note that other notifications may be necessary depending on the type of spill).

R/

Larry From: Gagnon, Ronald Sent: Friday, February 27, 2015 2:15 PM To: Criscione, Lawrence Cc: Janney, Margie; Correla, Richard SUbJect: RE: Need-to-Know requirements for SUNS!

Good afternoon Larry, It was a pleasure speaking with you this afternoon. During our conversation we explored several topics including your questions below We discussed the Controlled Unclassified Program (CUI) and how it would consolidate the SUNS! and SGI programs at the NRC, and how ,t would offer a government-wide, uniform way of handling sensitive unclassified information. Your asked the following SUNSI related questions*

1. If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document, must my new document now be marked as SUNSI?

Derivative products should always be marked to ensure that the sensitive information in the document is fully protected according to agency policy. If the document is not portion marked, then the entire document is considered SUNSI until such time as a subJed matter expert determines otherwise.

Documents that are marked SUNSI and not portion marked can be reviewed by the originator to determine which portion is sensitive, ie. 2.390 information. A derivative document using any Information from a SUNSI document that is not portion marked must have the referenced portion marked as SUNSI.

2. How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe ls inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassrfied and non-Safeguards nuclear safety concerns fair game for discussion with all NRC 9

colleagues or must information be "silo-ad" into a tightly controlled group of individuals who are officially assigned to address the issue?

Need-to-know typically means a determination made by an authorized holder of information that a prospective recipient requires access to specific information to perform or assist In a lawful and authorized governmental function. This determination would be made by the leadership elements in the office where the work is performed.

Please let me know if I can be of further assistance.

Thank you for your questions, Ronald E. Gagnon OIS / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: SUNSI Resource Sent: Wednesday, February 25, 2015 7:44 AM To: Gagnon, Ronald; Janney, Margie SubJec.t: FW: Need-to-Know requlr ments for SUNSI From: Criscione, Lawrence Sent: Wednesday, February 25, 2015 7:44 21 AM To: SUNSI Resource Cc: Correla, Richard; Peters, Sean; Perkins, Richard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob, Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward, King, Mark, Burton, Thomas; Patterson, Malcolm; Kanney, Joseph

Subject:

Need-to-Know requirements for SUNSI Auto forwarded by a Rul SUNSI Resource:

I have some questions regarding SUNSI which my div1s1on director has been attempting to help me get answered. He provided me the following references but neither of them address the questions I have*

NRC's SRI guidance: htt .//www.internal.nrc. ov/sunsi/securit .html FAQs available on the SUNSI website address commonly requested topics:

http.//www.internal.nrc.gov/sunsi/fag. html My questions are:

10

1. If I am referencing a document marked SUNSI , since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document, must my new document now be marked as SUNSI?

2. How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe is inadequately protected from flooding) , can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo-ed" into a tightly controlled group of individuals who are officially assigned to address the issue?

Also, l have some comments about the "SUNSI Awareness Training* linked to from the SUNSI "Frequently Asked Questions* website (and attached to this email). On slide 6 a colloquial definition of SUNSI is provided as:

"Or put another way . If information appeared on the front page of the Washington Post and you cringe when you see if .... It's probably sensitive" I believe that:

• The above definition is deleterious to our goals of openness and transparency

• Unfortunately, your colloquial definition is broadly used within the NRC. That is. it is my experience that most SUNS! matenal is marked that way because if it "appeared on the front page of the Washington Posr it would make us cringe.

I'm not the only NRC employee who has been asking these questions. How we determine SUNS! is a concern shared by several of my colleagues.

Larry Lawrence S. Criscione 573-230-3959 From :l(b)(7)(C) I Sent: Wednesday, February 81 2015 3:48 PM To: Criscione, Lawrence Cc: Peters, Sean; Madden, Patrick

Subject:

RE: OIG case 13-001 and OUO-SRI Larry, Turns our 0 1S is the agency lead for SUNSI (that includes OUO SRI). They sent me this link:

htt ://www.internal.nrc. ov/sunsi/secur* .html as a source of information. Please take a look at the information at the link and let me know if it has the information you are seeking .

Regards (b)(7)(C) 11

From: Criscione, Lawrence 1.1.i..Ji,1,W.1..i!WliJl,,,J;.UL.LlfJry 12, 201511:28 AM T

se 13-001 and OUO-SRJ Thanks l(b)(l)(C)

Daniel Cardenas referred me to Admin but did not give me the name of a contact.

From: l(b}(7)(C} I Sent: Thursday, February 12, 2015 9:08 AM To: Criscione, Lawrence

Subject:

RE: OIG Case 13-001 and OUO-SRI Let me make some phone calls Larry (b)(7)(C}

From: Oiscione, Lawrence Sen

• ary 11, 2015 1:48 PM To: (b}(7}(C)

Subject:

OIG case 13-001 and OU~SRI (b)(7)(C)

Attached is the transcript from your 2012 interview with OIG concerning Case 13-001 It was provided to me as part of a Privacy Act request and I'm sending it along to you in case you would like a copy Please see my email below to !(b}(7)(Cl l l stlll have a lack of understanding on OUO-SRI , mostly stemming from the fact that-unlike SGI and classtfied information-it {1) is not portion marked, (2) has no derivative classifiers , and (3) is applied to such broad topics that it has no well-defined need-to-know (e.g. who has a need-to-know about the Oconee flooding issues? Is it only the narrow set of NRR employees addressing It? Or is it any concerned NRC employee who might have an opinion that adds to the discussion?)

V/r.

Larry From: Criscione, Lawrence Sen

• bruary 11, 2015 1:37 PM To: (b)(7)(C)

Subject:

OJG Case 13-001 (b)(7)(C)

Attached is the transcript from your 2012 interview with OIG concerning Case 13-001 . It was iven to me as part of a Privacy Act request and I'm sending it along to you in case you would like a copy.

12

The investigation for Case 13-001 closed on September 11, 2013.

As part of the resolution to the PEER v. NRC lawsuit, the on September 13, 2013 the NRC publicly released the two documents which were the subject of the NRC Form 183 security incident which was filed against me on September 20, 2012. Those documents can be found at:

http://pbadupws.nrc.gov/docs/ML1325/ML13256A372.pdf http://pbadupws.nrc.gov/docs/ML1325/ML13256A370.pdf The only redactions to those documents are my home address, my cell phone number and my personal email account. This indicates-to me-that I was not in error when I failed to mark these documents as "Official Use Only - Security-Related Information*

Given that QUO-SRI documents are not portion marked, I still have no understanding of:

1. How I am to determine what exactly in those documents Is OUO-SRI

2. How-when I am preparing a downstream document which references information found in OUO-SRI documents-I am to determine the final designation of my document and who the authority is if I have questions

3. To whom do I appeal if I do not agree with the OUO-SRI designation of a document

4. How to determine who has a "need to know" with regard to OUO-SRI information R,

Larry From: 0-lsdone, Lawrence Sent: Tuesday, June 10, 2014 9:27 AM To: Correla, Richard; Weber, Michael; Sheron, Brian; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward subject: Who Determines Need-to-Know?

Thanks Rich.

I'd like to clarify though that even if we have a precise definition, a large part of my concern Is "Who determines need-to-know?"

For example, if I am confident that a document marked "Not for Public Disclosure* can go to a congressional office, can I send it to them or must I first go through OGC and OCA?

Or, if I am confident that an INL contractor has a need to know proprietary information we got from INPO, can I directly send it to him or do I first need to consult with my supervisor, the NRC owner of the INPO MOU. OGC, etc.?

From: Correia, Richard Sent: Tuesday, June 10, 2014 7:02 AM To: Criscione, Lawrence; Weber, Michael; Sheron, Brian; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward

Subject:

RE: Need Assistance from RES and NTEU

Larry, 13

I contacted folks in the Information Security Branch of NSIR and they pointed out that "need to know" is defined in 10CFR73.2 for handling safeguards information. I'm not certain if it would have a similar definition for SUNSI I'll follow up with OGC on whether need to know has a definition for SUNSI.

Rich Richard Correia, PE

Director, Division of Risk Analysis Office of Nuclear Regulatory Research US NRC richard.correla@nrc.gov From: Criscione, Lawrence sent: Monday, June 02, 2014 5:50 PM To: Weber, Michael; Sheron, Brian; Correia, Richard; Madden, Patrick; Peters, 5ean; Sulllvan, Randy; Burrows, Sheryl; ODonnell, Edward

Subject:

Need Assistance from RES and NTEU Please see my October 25, 2012 email below to Dan Cardenas. I've highlighted several questions in that email which I never received answers to.

On October 25, 2012 I was directed to review our SUNSI guidance and to discuss it with the chief of the Facilities Security Branch. I reviewed the guidance but had some questions which, 19-months later, I still do not know the answers to.

I would like the assistance of RES management and the NTEU in obtaining answers from Mr. Cardenas. I believe I am not the only one at the NRG who is unclear as to what exactly constitutes a "need to know" and "conducting official government business*. Better clarifying these terms, especially with regard to OIG Case 13-001 which led to a criminal referral to the Department of Justice, is in the interest of the NRC staff.

If you have advice for me as to how to obtain answers from the requisite SUNSI experts, please let me know.

Thank you, Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence sent: Monday, June 02, 2014 5:35 PM To: Cardenas, Daniel; Ross-Lee, MaryJane Cc: Beasley, Benjamin; Peters, Sean; Correla, Richard; Sullivan, Randy; NTEU, Chapter 208; Burrows, Sheryl

Subject:

FW: Questions

Dan, Attached to this email is a document entitled "Exhibit 3 to 0/G Case 13-001" which I received today in response to FOIA 2014-0236. The whichl(b)(?)(C) remo

~ent this memo to (b)(7)(C js undated. Could either you or!lb} 7J(C) p lease tell me the date on

~ Was it before or after our correspondence in the email trail below ?

On February 4, 2013 agents of the NRC's Inspector General approached the Assistant US Attorney's office in Springfield, IL and requested of them that I be indicted on federal felony charges (18 USC §1030) for obtaining 14

supposed security-sensitive information from a government database (i.e. NRC internal ADAMS) and supposedly colluding to distribute that information to the public (e.g. via a Congressional hearing). The information of concern was my September 18, 2012 letter to the NRC Chairman, the email distributing it, and the nine reference documents. These are the same documents of concern in our email trail below.

In an October 25, 2012 email (included immediately below) I asked you a series of questions regarding MD 12.6, various guidance you directed me to review {found at http://www.internal.nrc.gov/sunsl/), and an explanation of what exactly constitute need to know" and "conducting official government business". I have highlighted those questions in the email below. The documents attached to this email refer to some of those questions.

I never received any answers to the questions I posed to you 19 months ago in the email below. And after being the subject of an OIG criminal investigation for the distribution of supposed security related documents to individuals without a supposed "need to know", I still do not know the answers to the questions I pose below.

OIG Case 13-001 has been closed for over 9 months. Please provide me answers to my questions below as I am still uncertain what exactly I can and cannot share with our Congressional overseers and the precise channels I am required to follow.

I look forward to your answers.

Thank you, Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence Sent: Thursday, October 25, 2012 9:37 PM To: Cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonneil, Edward; Sullivan, Randy

Subject:

Questions

Dan, I have some questions regarding the guidance on the 01S SUNSI website and MD 12.6.

1. 1) In the attached document "2005-10-26 guidance.pdf" I've highlighted a sentence stating that portion markings are not required. However, In the document "2010-04-27 guidance.pelf" I've highlighted where it states:

When Is portion or page marking required? On documents that may be released following redaction of sensitive information. If an entire page is not sensitive, place marking adjacent to the sensitive Information.

I am a big believer in portion markings. It frustrates me to no end that none of the 2008-2012 QUO correspondence between the NRC and Duke Energy regarding Jocassee Dam Is portion marked. This correspondence clearly meets the instructions above for requiring that the documents be portion marked. That is, the overwhelming majority of the pages in the NRC/Duke correspondence have portions that are not sensitive and this NRC correspondence with a licensee concerning a serious safety concern should certainly be released following redaction of sensitive Information. Yet there are no portion markings. Which guidance Is correct: the 2005-10-26 or the 2010-04-27 guidance? Should NRR's correspondence with Duke Energy from May 2010 through the present have been portion marked?

1. 2) On page 2 of the attached "NRC Policy for Handling Marking and Protection SUNSl.pdf I have highlighted a paragraph on "Need-To-Know Access". This paragraph contains the words:

15

"...no person, Including employees of the U.S. Government, NRC, ....... moy hove access to SUNS/ unless that person has an established need-to-know the information for conducting official business."

I am unclear what exactly constitutes "an established need-to-know the information for conducting official business."

Some of my co-workers (particularly Richard Perkins, but many others as well) expressed concern to me that floodlng Issues at Oconee Nuclear Station and Fort Calhoun were not being adequately addressed. Although it is my Job (and the job of all NRC employees) to take allegations from licensees, I do not believe it is my job (i.e. "conducting official business") to take allegations from my fellow NRC co-workers. Nonetheless, I reviewed some of the source documents regarding Jocassee Dam because I was concerned with the opinions I was hearing expressed from my co-workers. It was not my Job to review these documents. Most of the review of these documents occurred after normal working hours, including times when - although allowed to be in the office or on Citrix - I am not allowed to formally work (i.e. beyond 8 pm, Sundays, while using annual leave/credit hours). Since I was reviewing this information on my own time and not "for conducting official business", was I violating the HNeed-to-Know".

Although I have only shared SUNS! with "employees of the U.S. Government", I am not certain all of them had "an established need-to-know the information for conducting official business":

• Does a staffer on the Senate Committee on Homeland Security & Governmental Affairs have "on established need-to-know the information for conducting officio/ business"? If he does, must I send him through the Office of Congressional Affairs? Am I violating "Need-to-Know" by directly sending him references he requested?

• Does the Intern for Representative Duncan of South carolina's 3rd congressional district have "an established need-to-know the information for conducting officio/ business" when she is not investigating any matter for a congressional oversight committee and I am merely copying her as a courtesy to keep her representative abreast of a concern regarding a nuclear plant in his district?

• Does the Office of the Special Counsel have "an established need-to-know the Information for conducting official business" when the information Is not being formally submitted with an OSC Form 127

• Does the Downstate Director (i.e. Springfield, IL office chief) of Senator Durbin have "on established need*to-know the information for conducting official business" when I am merely meeting with him to get his advice as to whether or not my senator would be wllllng to write the NRC Chairman regarding the NRC's SUNSI policies?

113) Assuming that the US Special Counsel or a congressional staffer has "an established need-to-know, I am uncertain as to what ls required by the "Access" requirements on page S of Part II of MD 12.6. Prior to sharing SUNSI with the US Special Counsel or congressional staffers, before providing the information must I first consult the three parties listed In MO 12.6:

• NRC office originating the information

• Office that has primary interest in the information

• Source from which the information was derived

1. 4) If I am writing a letter regarding how the Office of Nuclear Reactor Regulation Is Inappropriately stamping safety-related correspondence as "Security-Related Information", and if I am sending that letter to the US NRC Chairman and copying It to concerned congressional offices, and If I do not belleve that marking the Jetter is essential to ensure proper handling and to ensure all persons having access to the letter will be aware that ft (1) must not be publicly released and (2) must be distributed only to those who have o need-to-know to conduct official business, then am I In violation of MD 12.6 because I did not stamp the letter "Official Use Only- Security-Related Information"?

I was asked by a congressional staffer last month whether I believed the "Security-Related Information" stamps were hindering the open discussion of the Jocassee Dam/Oconee issue amongst the NRC staff. His concern was based on the fact that some of NRR's Jocassee Dam correspondence contain the stamp "limited Internal Distribution Permitted. My answer to him was that, although I believed these stamps were inappropriately keeping a serious safety concern from public scrutiny, these markings were not in any way hindering the professional Internal discussion of concerns regarding Jocassee Dam. Based on what I have read in MD 12.6 tonight, I do not know if I still agree with that answer. When 16

possible, I would like to meet with you regarding the four questions above. Also, I have had people within th NRC request to see my 2012-09-18 letter to the chairman but I have been unwilling to share It with anyone since being told I was vio lating SU NS! guidance by not prop rly stamping it OUO- SRI. I would like to review that letter wi th you and ge t your assessment as to how it should be stamped.

R, Larry From: Criscione, Lawrence Sent: Thursday, October 25, 2012 5:50 PM To: cardenas, Daniel

Subject:

RE: Information Release The version of MO 12.6 that is linked to in the SUNSI website is from December 20, 1999. Is this the version I am supposed to review or is there a more current revision?

From: Cardenas, Daniel Sent: Thursday, October 25, 2012 5:39 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy

Subject:

Re: Information Release Larry-If you have read and understand the SUNSI guidance, en a meeting may not be necessary. I will contact you If a meeting is necessary. In regards to transmission of SUNSI outside the NRC, please contact your supervisor as identified in MD 12.6 and follow applicable guidance located on the 01S SUNSI website.

Regards.

Dan

- Sent from an NRC Blackberry -

Daniel Cardenas, Chief Facilities Security Branch Division of Facilities and Security Office of Administration U. S. Nuclear Regulatory Commission Office Email : ardena Office Num Cell Number:

Fax Number: .....,.,................,,....,...,...,.,...

From : Criscione, Lawrence To: cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy Sent: Thu Oct 25 17:31:31 2012

Subject:

RE: Cnformatlon Release

Daniel, 17

My Outlook calendar is up to date through the end of the year. I should be able to review MD 12.6 and the other guidance by tomorrow morning.

The only personnel outside the NRC to whom I have provided HOfficial Use Only - Security Related Information" are either with the Office of t he Special Counsel, staffers of US Senators or staffers of members of the US House of Representatives. I will not release any additional Information to the Office of the Special Counsel or to members of the US Congress until I have met with you.

Please send me a copy of the NRC Form 183 mentioned below so that I may review it prior to our meeting.

Is my union :steward allowed to accompany me to the meeting?

V/r, Larry Criscione 573-230-3959 From: cardenas, Daniel Sent: Thursday, October 25, 2012 5:01 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen

Subject:

Information Release Importance: High Mr. Criscione-I have received a NRC Form 183 " Report of Security Incident" indicating that you have released information {Official Use Only - Security Related Information, etc) to personnel outside of tlhe NRC. This release of information must "stop" Immediately. The guidance for handllng Sensitive Unclassified non-Safeguards Information (SUNSI) is identified In MD 12.6 and on the 01S webpage. Please see the following link, which provides detailed information on the handling of this type of Information.

win ernal.

If you have released any other information, you must cease these activities, and report the releases to the Director, Division of Facilit ies and Security.

Please schedule a time to discuss this matter with me.

Regards.

0111lcl Carduu Chief, Fac1litic<1 Securily Branch 01V1s1on or f'ai:ilhics end Sccuri1y, o mcc of AdmimstratlOII Location: T6-l'J I Office Emoil: DwJjc:I.Canlenas!!J!rc,!Ov omce Number. r 3Q1 )4 t5;618 NRC Blnck:bcrry._!fb~H...,

61..,..._ __.

NRC Fax: (301)4 15-5132 18

From: Gagnon, Ronald Sent: Tuesday, March 03, 2015 9:16 AM To: Norman, Robert; Adler, James

Subject:

FW: Need-to-Know requirements for SUNSI Gentlemen, Good morning. I thought that I would share the exchange below since part of what is discussed will soon fall under CUI.

Ron Ronald E. Gagnon CUI Program Manager IT/IM Policy Branch United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike , Mail Stop 0-6H 11 Rockville, MD 20852 Office: 301-415-6873 From: Criscione, Lawrence Sent: Tuesday, March 03, 2015 8:57 AM To: Correla, Richard; West, Steven Cc: Janney, Margie; Sullivan, Randy; Perkins, Richard; Bens!, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; carclenas, Daniel; Gagnon, Ronald

Subject:

RE: Need-to-Know requirements for SUNSI Steve/Rich, Once again, my direct questions on SUNSI were side-stepped. Other than items 1.d and 2. c below, I did not get answers but rather a re-iteration of obfuscated policies Items 1.a, 1.b, and 1.c were dished off to you (i.e. my office leadership). Please provide me answers:

1.a) Who are the subject matter experts for flooding and dam failures?

1.b) What document designates them as such?

1.c) What guidance do they use to determine what is sensitive and what is not?

If you cannot answer these questions, it's likely because there is no appointed authority and guidance for determ*ning what is and what is not SUNSI with regard to flooding/dam failure information. That is, we are not professionally addressing this issue but are rather j ust conservatively caving in to "speculaUve or abstract/ears

instead of diligently balancing wide and open discussion of significant nuclear safety issues (e.g. a Fukushima scenario in South Carolina or Nebraska) against realistic terrorist capabilities and threats.

I find it disturbing that item 2.a cannot be directly answered The answer should be: per federal law (5 USC

§7211) Congressional offices have a de-facto right to information that is not otherwise legally restricted. That is, the right of Congress to receive information is vividly clear in 5 USC §7211 and as long as the sharing of that information does not conflict with other federal laws which the Congress has passed (e.g. laws limiting the distribution of Special Compartmentalized Information) then the information can be directly shared with any Congressional office (i.e. Congressional offices have a de-facto

• need-to-know* with regard to SUNSI). I find it troubling that no one is willing to give me this answer. By failing to give me this answer, I am unsure as to whether or not I am allowed-if I feel a significant nuclear safety issue is not be adequately addressed-"to petition Corrgress or a Member ofCongress, or to furnish information to either House ofCon,qress, or to a committee or Member thel'eo/. Please clarify whether or not the technical staff needs to obtain any permissions-such as permission from either their chain of command or from the Office of Congressional Affairs-prior to sharing information with a Congressional office.

Item 2.b is about internal need-to-know as it relates to SUNS!. Late last year, Richard Perkins shared a document with me that pertained to guidance provided for using Exemption 5 (pre-decisional information) in preparing documents for release under the FOIA. That guidance was marked KAttomey-Client Privilege" (a form of SUNSI). Note that I did not need *access to specdic information to perform or assist In a lawful and authorized governmental function". That is, I was not assigned to work on a FOIA that required use of the guidance. Richard shared it with me because he was concerned the guidance was illegal and he wanted my opinion. Did he violate "need-to-know"?

I have never been assigned any work pertaining to addressing flooding at nuclear power plants. Yet many of the people copied on this email have discussed SUNSI documents with me pertaining to that issue. Are they violating "need-to-know"? If so, how are they to determine with which of their colleagues can they discuss this nuclear safety issue? How are they to "make a determination that a prospective recipient requires access to specific Information to perform or assist In a lawful and authorized governmental function? For example, how is someone from NRR to know whether or not I have been authorized to work on flooding? Are they to contact my branch chief prior to having any discussion with me? And what then when they are told I am not assigned to work on any flooding issues? Are they allowed to collegially get my opinion on the documents anyway? Or is this nuclear safety information to be silo'd in the same manner that Special Compartmentalized Information concerning military operations is rightfully silo'd? These are not rhetorical questions. Please provide me answer,s. Are we allowed to get our colleague's opinions on issues to which they were not formally assigned?

Finally, if these are truly matters that should be decided at the office level (as Ron Gagnon indicated in his response below) then I would like to volunteer to become the RES subject matter expert on security issues surrounding flooding and dam failure-assuming my branch chief would support that. I will gladly determine what federal courses and workshops are available concerning the determination of security sensitivity and regarding open government initiatives. I can attend those workshops and develop guidance that diligently balances the public's right to know about significant nuclear safety issues against any legitimate security concerns that might exist.

V/r, Larry from: Gagnon, Ronald Sent: Monday, March 02, 2015 1:49 PM To: Criscione, Lawrence Cc: Janney, Margie; Correia, Richard; Sullivan, Randy; Perkins, Ric'hard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; Cardenas, Daniel

Subject:

RE: Need-to-Know requirements for SUNSI

Larry, Please see my replies adjacent to your questions.

2

Thank you, Ron Ronald E. Gagnon OIS / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop 0-6H11 Rockville, MD 20852 Office* 301-415-6873 From: Criscione, Lawrence Sent: Friday, February 27, 2015 3:23 PM To: Gagnon, Ronald Cc: Janney, Margie; Correla, Richard; Sullivan, Randy; Perkins, Richard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; ODonnell, Edward; Kanney, Joseph; Patterson, Malcolm; King, Mark; Burton, Thomas; Peters, Sean; cardenas, Daniel

Subject:

RE: Need-to-Know requirements for SUNSI Thanks Ronald. I've copied some colleagues on this email so they can see your answer below and so that they might contact you if they have their own questions about it.

I've highlighted two items below that are still unclear (subject matter expert and need-to-know determination):

1.a) Who are the subject matter experts for flooding and dam failures? Check with your office leadership.

1.b) What document designates them as such? Check with your office leadership.

1.c) What guidance do they use to determine what is sensitive and what is not? Check with your office leadership, (reference internal NRC SUNSI, SGI, Classified guidance).

1.d) If you disagree with their determination, is there an appeal process?

As you probably already know, NRC has a mechanism in place where differing professional opinions can be discussed and resolved. The NRC Differing Professional Opinions Program, Management Directive 10.159 states the following objectives: To foster informal discussions with peers and supervisors on issues involving professional judgments that may differ from a currently held view or practice, To establish a formal process for expressing differing professional opinions (DPOs) concerning issU'es directly related to the mission of NRC, To ensure the full consideration and prompt disposition of OPOs by affording an independent, Impartial review by knowledgeable personnel, To ensure that all employees have the opportunity to (a) express DPOs in good faith, (b) have their views heard and considered by NRC management, and (c) be kept fully informed of the status of milestones throughout the process, To protect employees from retaliation in any form for expressing a differing opinion, To recognize submitters of DPOs when their DPOs have resulted in significant contributions to the mission of the agency, To provide for agency-wide oversight and monitoring, to ensure that implementation of these procedures accomplishes the stated objectives, and to recommend appropriate changes when required.

2.a) For SUNSI, do we (i.e. the technical staff) need to obtain our supervisor's permission prior to sharing information with a Congressional office? This question is outside the scope of SUNSI. Please check with your leadership for official NRC policies regarding communications with Congress. The Office of Congressional Affairs should be able to articulate current policies regarding this question.

3

2.b} For SUNSI that is related to nuclear safety issues or to agency policies on applying FOIA redactions (i.e. not PII, allegation material, or other highly specific forms of SUNSI that have nothing to do with typical NRC correspondence and reports) do we need our supervisor's permission prior to discussing the information with our NRC colleagues who are not formally assigned to work on the issue? That is,

,can I share nuclear safety information with my NRC co-workers even though that information has been designated SUNSI and they have not been formally assigned to work on the issue? Please check with your leadership and the FOIA office (if you have a FOIA redaction question}. As you are aware, in addition to having authorized access to SUNSI information there is a need to know component to SUNSI. In order to allow access to another party, an authorized holder of SUNSI information must make a determination that a prospective recipient requires access to specific information to perform or assist in a lawful and authorized governmental function.

2.c) If I can get to it in ADAMS, can I assume I have a de-facto right to know it? Perhaps, but not exclusively. For example, if a document has been mistakenly categorized/ entered into ADAMS it does not give an employee the right to view or distribute it without the proper access credentials. If a government employee came across a classified document on-line through a Google search, that government employee is not authorized access unles-s they have the proper clearance and need to 1know, even though the document ls easily available to anyone searching for it. If not, how do I determine that I have accessed a document that I have no right to see and to whom do I report it? One way to report a document spill would be by advising your supervisor and accessing the following link:

http://www.internal.nrc.govnncident.html (please note that other notifications may be necessary depending on the type of spill).

R/

Larry From: Gagnon, Ronald Sent: Friday, February 27, 2015 2:15 PM To: Criscione, Lawrence Cc: Janney, Margie; Correla, Richard

Subject:

RE: Need*to-Know requirements for SUNS!

Good afternoon Larry.

It was a pleasure speaking with you this afternoon. During our conversation we explored several topics including your questions below. We discussed the Controlled Unclassified Program (CUI) and how it would consolidate the SUNSI and SGI programs at the NRC, and how it would offer a government-wide, uniform way of handling sensitive unclassified information. Your asked the following SUNSI related questions:

If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document, must my new document now be marked as SUNSI?

Derivative products should always be marked to ensure that the sensitive information in the document Is fully protected according to agency policy. If the document is not portion marked, then the entire document is considered SUNSI until such time as a subject matter expert determines otherwise.

Documents that are marked SUNSI and not portion marked can be reviewed by the originator to determine which portion Is sensitive, ie. 2.390 Information. A derivative document using any information from a SUNSI document that is not portion marked must have the referenced portion marked as SUNSI.

2. How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear Issue (e.g. a nuclear site which some colleagues believe is 1inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That 4

Is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo-ed" into a tightly controlled group of individuals who are officially assigned to address the issue?

Need-to-know typically means a determination made by an authorized holder of information that a prospective recipient requires access to specific information to perform or assist in a lawful and authorized governmental function. This determination would be made by the leadership elements in the office where the work is performed.

Please let me know if I can be of further assistance.

Thank you for your questions.

Ronald E. Gagnon 01S / PMPD / IPB United States Nuclear Regulatory Commission One White Flint North 11545 Rockville Pike, Mail Stop O-6H11 Rockville, MD 20852 Office: 301-415-6873 From: SUNS! Resource Sent: Wednesday, February 25, 2015 7:44 AM To: Gagnoni, Ronald; Janney, Margie subject: FW: Need-to-Know requirements for SUNSI From: Criscione, Lawrence Sent: Wednesday, February 25, 2015 7:44:21 AM To: SUNSI Resource Cc: Correla, Richard; Peters, Sean; Perkins, Richard; Bensi, Michelle; Sancaktar, Selim; Philip, Jacob; Mitman, Jeffrey; Ferrante, Fernando; Barnes, Valerie; Desaulniers, David; OOonnell, Edward: King, Mark; Burton, Thomas; Patterson , Malcolm; Kanney, Joseph

Subject:

Need-to-Know requirements for SUNSI Auto forwarded by a Rule SUNSI Resource:

I have some questions regarding SUNSI which my division director has been attempting to help me get answered. He provided me the following references but nerther of them address the questions J have:

NRC's SRI guidance: http://www.internal.nrc.gov/sunsi/security.html FAQs available on the SUNSI website address commonly requested topics:

http://www.lnternal.nrc.gov/suns1/fag.html My questions are:

s

1 If I am referencing a document marked SUNSI, since there are no portion markings how do I determine what material is SUNSI and what is not? If I reference anything in the document. must my new document now be marked as SUNSI?

2 How do I determine need-to-know with regard to SUNSI? If I come across an interesting nuclear issue (e.g. a nuclear site which some colleagues believe is inadequately protected from flooding), can I discuss that issue with my fellow employees or is there some type of vetting process I must use? That is, are unclassified and non-Safeguards nuclear safety concerns fair game for discussion with all NRC colleagues or must information be "silo-ed" into a tightly controlled group of Individuals who are officially assigned to address the issue?

Also, I have some comments about the "SUNSI Awareness Training" linked to from the SUNSI "Frequently Asked Questions" website (and attached to this email). On slide 6 a colloquial definition of SUNSI is provided as:

• • or put another way ... If information appeared on the front page of the Washington Post and you cringe when you see it .... It's probably sensitive*.

I believe that:

• The above definition is deleterious to our goals of openness and transparency

• Unfortunately, your colloquial definition is broadly used within the NRC. That is, it is my experience that most SUNSI material is marked that way because if it *appeared on the front page of the Washington Post it would make us cringe.

I'm not the only NRC employee who has been asking these questions. How we determine SUNS! is a concern shared by several of my colleagues.

Larry Lawrence S. Criscione 573-230-3959 sent: ne ay, ruary 18, 2015 3:48 PM To: Criscione, Lawrence Cc: Peters, Sean; Madden, Patrick

Subject:

RE: OIG case 13-001 and QUO-SRI Larry, Turns our 01S is the agency lead for SUNSI (that includes OUO SRI). They sent me this link:

http://www.internal.nrc.gov/sunsi/security.html as a source of information. Please take a look at the information at the link and let me know if it has the information you are seeking.

Regards (b){7)(C) 6

From: Criscione, Lawrence Se

• uary 12, 2015 11:28 AM To: (b)(7)(C)

SubJ se 13-001 and OUO-SRI Thanks~

Daniel Cardenas referred me to Admin but did not give me the name of a contact.

ur ay, e ruary 12, 2015 9:08 AM To: Criscione, Lawrence

Subject:

RE: OIG Case 13-001 and QUO-SRI Let me make some phone calls Larry (b)(?)(C)

From: Criscione, Lawrence Se : ruary 11, 2015 1:48 PM To: (b)(7)(r)

~ ~l~dOOO~ru l(b)(7)(C) I Attached is the transcript from your 2012 inteNiew with OIG concerning Case 13-001 It was provided to me as part of a Privacy Act request and I'm sending It along to you in case you would like a copy.

Please see my email below to Daniel Cardenas. I still have a lack of understanding on OUO-SRI, mostly stemming from the fact that-unlike SGI and classified information-it (1) is not portion marked, (2) has no derivative classifiers, and (3) is applied to such broad topics that it has no well-defined need-to-know (e.g. who has a need-to-know about the Oconee flooding issues? Is it only the narrow set of NRR employees addressing it? Or is It any concerned NRG employee who might have an opinion that adds to the discussion?).

V/r, Larry From: Criscione, Lawrence Sen

• ary 11, 2015 1:37 PM To: (b)(7)(C)

Subject:

OIG Case 13-001 (b)(?)(C)

Attached 1s the transcript from your 2012 Interview with OIG concerning Case 13-001 It was given to me as part of a Pr ivacy Act request and I'm sending it along to you in case you would like a copy.

7

The investigation for Case 13-001 closed on September 11, 2013.

As part of the resolution to the PEER v. NRC lawsuit, the on September 13, 2013 the NRC publicly released the two documents which were the subject of the NRC Form 183 security incident which was filed against me on September 20, 2012. Those documents can be found at:

http://pbadupws.nrc.gov/docs/ML1325/ML13256A372.pdf http://pbadupws.nrc.gov/docs/ML1325/ML13256A370.pdf The only redactions to those documents are my home address, my cell phone number and my personal email account. This indicates-to me-that I was not in error when I failed to mark these documents as "Official Use Only - Security-Related Information" Given that OUO-SRI documents are not portion marked, I still have no understanding of:

1. How I am to determine what exactly in those documents is OUO-SRI

2. How-when I am preparing a downstream document which references information found in OUO-SRI documents-I am to determine the final designation of my document and who the authority is if I have questions

3. To whom do I appeal if I do not agree with the OUO-SRI designation of a document

4. How to determine who has a "need to know" with regard to OUO-SRI information R,

Larry From: Criscione, Lawrence sent: Tuesday, June 10, 2014 9:27 AM To: COrreia, Richard; Weber, Michael; Sheron, Brian; Madden, Patrick; Peters, sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward

Subject:

Who Determines Need-to-Know?

Thanks Rich.

I'd like to clarify though that even if we have a precise definition, a large part of my concern ts "Who determines need-to-know?"

For example 1f I am confident that a document marked "Not for Public Disclosure* can go to a congressional office, can I send 1t to them or must I first go through OGC and OCA?

Or, 1f I am confident that an INL contractor has a need to know proprietary information we got from INPO, can I directly send It to him or do I first need to consult with my supervisor the NRC owner of the INPO MOU, OGC, etc.?

From: Correia, Richard Sent: Tuesday, June 10, 2014 7:02 AM To: Criscione, Lawrence; Weber, Michael; Sheron, Brian; Madden, Patrick.; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward

Subject:

RE: Need Assistance from RES and NTEU

Larry, 8

I contacted folks in the Information Security Branch of NSIR and they pointed out that need to know" is defined in 10CFR73.2 for handling safeguards information. I'm not certain if it would have a similar definition for SUNSI. I'll follow up with OGC on whether need to know has a definition for SUNSI.

Rich Richard Correia, PE Director, Division of Risk Analysis Offlce of Nuclear Regulatory Research USNRC rlchard.correla@nrc.gov From: Criscione, Lawrence Sent: Monday, June 02, 2014 5:50 PM To: Weber, Michael; Sheron, Brian; Correia, Richard; Madden, Patrick; Peters, Sean; Sullivan, Randy; Burrows, Sheryl; ODonnell, Edward

Subject:

Need Assistance from RES and NTEU Please see my October 25, 2012 email below to Dan Cardenas. I've highlighted several questions in that email which I never received answers to.

On October 25, 2012 I was directed to review our SUNSI guidance and to discuss it with the chief of the Facilities Security Branch. I reviewed the guidance but had some questions which, 19-months later, I still do not know the answers to.

I would like the assistance of RES management and the NTEU in obtaining answers from Mr. Cardenas. I believe I am not the only one at the NRC who is unclear as to what exactly constttutes a "need to know' and

• conducting official government busmess*. Better clarifying these terms, especially with regard to OIG Case 13-001 which led to a criminal referral to the Department of Justice, is in the interest of the NRC staff.

If you have advice for me as to how to obtain answers from the requisite SUNSI experts, please let me know.

Thank you, Larry Lawrence S. Criscione 573-230-3959 From: Criscione, Lawrence Sent: Monday, June 02, 2014 5:35 PM To: Cardenas, Daniel; Ross-Lee, MaryJane Cc: Beasley, Benjamin; Peters, Sean; Correla, Richard; Sullivan, Randy; NTEU, Chapter 208; Burrows, Sheryl

Subject:

FW: Questions

Dan, Attached to this email ts a document entitled "Exhibit 3 to OIG Case 13-001" which I received today 1n respo~se to FOi~ 2014-0236 The memo 1s undated Could either you or (bJ\7)tCl please tell me the date on which J bl(7)(CJ sent this memo to!(b)i7)(CJ V Was it before or after our rre pondence in the email trail below?

On February 4, 2013 agents of the NRC's Inspector General approached the Assistant US Attorney's office in Springfield, IL and requested of them that I be indicted on federal felony charges (18 USC §1030) for obtaining 9

supposed security-sensitive information from a government database (i.e. NRC internal ADAMS) and supposedly colluding to distribute that information to the public (e.g. via a Congressional hearing). The information of concern was my September 18, 2012 letter to the NRC Chairman, the email distributing it, and the nine reference documents. These are the same documents of concern in our email trail below.

In an October 25, 2012 email (included immediately below) I asked you a series of questions regarding MD 12.6, various guidance you directed me to review (found at http://www.internal.nrc.gov/sunsi/), and an explanation of what exactly constitute "need to know" and *conducting official government business". I have highlighted those questions in the email below. The documents attached to this email refer to some of those questions.

I never received any answers to the questions I posed to you 19 months ago in the email below. And after being the subject of an OIG criminal investigation for the distribution of supposed security related documents to individuals without a supposed *need to know", I still do not know the answers to the questions I pose below.

OIG Case 13-001 has been closed for over 9 months. Please provide me answers to my questions below as I am still uncertain what exactly I can and cannot share with our Congressional overseers and the precise channels I am required to follow.

I look forward to your answers.

Thank you, Larry Lawrence S . Criscione 573-230-3959 From: Criscione, Lawrence Sent: Thursday, October 25, 2012 9:37 PM To: Cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzelfo, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy

Subject:

Questions

Dan, I have some questions regarding the guidance on the OIS SUNSI website and MD 12.6.

1. 1) In the attached document "2005-10-26 guidance.pdf" I've highlighted a sentence stating that portion markings are not required. However, In the document "2010-04-27 guidance.pdf' I've highlighted where it states:

When is portion or page marking required? On documents that may be released following redaction of sensitive Information. If an entire page is not sensitive, place marking adjacent to the sensitive information.

I am a big believer in portion markings. It frustrates me to no end that none of the 2008-2012 OUO correspondence between the NRC and Duke Energy regarding Jocassee Dam Is portion marked. This correspondence clearly meets the instructions above for requiring that the documents be portion marked. That is, the overwhelming majority of the pages in the NRC/Duke correspondence have portions that are not sensitive and this NRC correspondence with a licensee concerning a serious safety concern should certainly be released following redaction of sensitive Information. Yet there are no portion markings. Which guidance Is correct: the 2005-10-26 or the 2010-04-27 guidance? Should NRR's correspondence with Duke Energy from May 2010 through the present have been portion marked?

1. 2) On page 2 of the attached "NRC Policy for Handling Marking and Protection SUNSl.pdf" I have highlighted a paragraph on "Need-To-Know Access". This paragraph contains the words:

10

"... no person, including employees of the U.S. Government, NRC, ....... moy have access to SUNS/ unless that person has an established need-to-know the information far conducting official business."

I am unclear what exactly constitutes "an established need-ta-know the information far conducting officio/ business."

Some of my co-workers (particularly Richard Perkins, but many others as well) expressed concern to me that flooding issues at Oconee Nuclear Station and Fort Calhoun were not being adequately addressed. Although it is my Job (and the Job of all NRC employees) to take allegations from licensees, I do mot believe it is my job (i.e. Hcanductlng official business") to take allegations from my fellow NRC co-workers. Nonetheless, I reviewed some of the source documents regarding Jocassee Dam because I was concerned with the opinions I was hearing expressed from my co-workers. It was not my job to review these documents. Most of the review of these documents occurred after normal working hours, Including times when - although allowed to be In the office or on Citrix - I am not allowed to formally work (i.e. beyond 8 pm, Sundays, while using annual leave/credit hours). Since I was reviewing this information on my own time and not "for conducting official businC?ss", was I violating the "Need-to-Know.

Although I have only shared SUNSI with "employees of the U.S. Government, I am not certain all of them had "an established need-to-know the Information far conducting official business":

• Does a staffer on the Senate Committee on Homeland Security & Governmental Affairs have "on established need-ta-know the information for conducting officio/ business"? If he does, must I send him through the Office of Congressional Affairs? Am I violating "Need-to-Know" by directly sending h,m references he requested?

• Does the intern for Representative Duncan of South Carolina's 3"1 congressional district have "an established need-to-know the information for conducting official business" when she Is not Investigating any matter for a congressional oversight committee and I am merely copying her as a courtesy to keep her representative abreast of a concern regarding a nuclear plant in his district?

• Does the Office of the Special Counsel have "on established need-ta-know the information for conducting official business" when the Information Is not being formally submitted with an OSC Form 12?

• Does the Downstate Director (i.e. Springfield, IL office chief) of Senator Durbin have "an established need-to-know the information for conducting official business" when I ~m merely meeting with him to get his advice as to whether or not my senator would be willing to write the NRC Chairman regarding the NRC's SUNSI policies?

1. 3) Assuming that the US Special Counsel or a congressional staffer has "an established need-to-know", I am uncertain as to what Is required by the "Access" requirements on page 5 of Part II of MO 12.6. Prior to sharing SUNS! with the US Special Counsel or congressional staffers, before providing the information must I first consult the three parties listed in MD 12.6:

• NRC office originating the information

• Office that has primary interest in the Information

• Source from which the information was derived

1. 4) If I am writing a letter regarding how the Office of Nuclear Reactor Regulation Is inappropriately stamping safety-related correspondence as "Security-Related Information", and if I am sending that letter to the US NRC Chairman and copying It to concerned congressional offices, and if I do not believe that marking the Jetter is essential to ensure proper handlfng and to ensure all persons having access to the letter will be aware that it (1) must not be publ/cly released and (2) must be distributed only ta those who hove a need-to-know to conduct officio/ business, then am I in violation of MD 12.6 because I did not stamp the letter "Official Use Only- Security-Related Information"?

I was asked by a congressional staffer last month whether I believed the Security-Related information" stamps were hindering the open discussion of the Jocassee Dam/Oconee issue amongst the NRC staff. His concern was based on the fact that some of NRR's Jocassee Dam correspondence contain the stamp "Limited Internal Distribution Permitted". My answer to him was that, although I believed these stamps were Inappropriately keeping a serious safety concern from publlc scrutiny, these markings were not in any way hindering the professional internal discussion of concerns regarding Jocassee Dam. Based on what I have read in MD 12.6 tonight, I do not know if I still agree with that answer. When 11

possible, I would like to meet with you regarding the four questions above. Also, I have had people within the NRC request to see my 2012-09-18 letter to the chairman but I have been unwilling to share it with anyone since being told I was violating SU NSI guidance by not properly stamping It OUO - SRI. I would like to review that leller with you and get your assessment as to how It should be stamped.

R, Larry From: Criscione, Lawrence Sent: Thursday, October 25, 2012 5:50 PM To: cardenas, Daniel

Subject:

RE: Information Release The version of MD 12.6 that Is linked to in the SUNS! website is from December 20, 1999. Is this the version I am supposed to review or is there a more current revision?

From: cardenas, Daniel Sent: Thursday, October 25, 2012 5:39 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy

Subject:

Re: Information Release Larry-If you have r,ead and understand the SUNSI guidance, then a meeting may not be necessary. I will contact you if a meeting is necessary. In regards to transmission of SUNS! outside the NRC, please contact your supervisor as identified In MD 12.6 and follow applicable guidance located on the OIS SUNS! website.

Regards.

Dan

~ Sent from an NRC Blackberry ~

Daniel Cardenas, Chief Facilities Security Branch Division of Facilities and Security Office of Adm inistration U. S. Nuclear Regulatory Commission Office Email: Daniel.Cardenas1@nrc.gov Cell Number: .__ _____

Office Numbf;,r* C3Ql) 4 l 6-61 64 l(b)(6l

__,I Fax Number. (301) 415-5132 From: Crlscfone, Lawrence To: cardenas, Daniel Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen; ODonnell, Edward; Sullivan, Randy Sent: Thu Oct 25 17:31:31 2012

Subject:

RE: Information Release

Daniel, 12

My Outlook calendar Is up to date through the end of the year. I should be able to review MD 12.6 and the other guidance by tomorrow morning.

The only personnel outside the NRC to whom I have provided "Official Use Only- Security Related Information" are either with the Office of the Special Counsel, staffers of US Senators or staffers of members of the US House of Representatives. I will not release any additional information to the Office of the Special Counsel or to members of the US Congress until I have met with you .

Please send me a copy of the NRC Form 183 mentioned below so that I may review it prior to our meeting.

Is my union steward allowed to accompany me to the meeting?

V/r, Larry Criscione 573-230-3959 From: Cardenas, Daniel Sent: Thul'Sday, October 25, 2012 5:01 PM To: Criscione, Lawrence Cc: Beasley, Benjamin; Coe, Doug; Ross-Lee, MaryJane; Pretzello, Andrew; Skidmore, Karen

Subject:

Information Release Importance: High Mr. Criscione-I have received a NRC Form 183 "Report of Security Incident# indicating that you have released information (Official Use Only - Security Related Information, etc) to personnel outside of the NRC. This release of information must "stop" immediately. The guidance for handling Sensitive Undasslfled no.n-Safeguards Information (SUNSI) is identified in MD 12.6 and on the 01S webpage. Please see the following llnk, which provides detailed information on the handling of this type of information.

http:U www.internal.nrc.gov/sunsl/

If you have released any other information, you must cease these activities, and report the releases to the Director, Division of Facilities and Security.

Please schedule a time to discuss this matter with me.

Regards.

llAnltl Ci!rdt 11U Chief, Facilities Sccun1y Branch Division or Fncilitil."l und Securizy, Office of Admin1srra1ion Location. T6-13J I Office Entail: Dani~ a(denasJ!._nrc.gov Office Number (301) 415-6184 NRC Blackbcrryf(bll61 NRC Fax: (301)4!"il""!-~5'""'32. ---""

l3

NRC Policy for Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information A. Purpose and Scope This policy is issued to ensure that sensitive unclassified non-safeguards information (SUNSI) is properly handled, marked, and adequately protected from unauthorized disclosure.

"SUNSI" refers to any information of which the loss, misuse, modification, or unauthorized access can reasonably be foreseen to harm the public interest, the commercial or financial interests of the entity or individual to whom the information pertains, the conduct of NRC and Federal programs, or the personal privacy of individuals.

The various categories of SUNSI have been o rganized into the following nine groups:

• Allegation information Investigation information

• Critical Electric Infrastructure Information (CEIi)

Export Controlled Information (ECI)

• Security-related information Proprietary information Privacy Act information Federal-, State-, foreign government-, and international agency-controlled information Sensitive internal information To the extent that requirements under a section for a particular SUNSI group were already stipulated in a statute, regulation, or other directive, the requirements have been incorporated into this policy. The requirements set forth in this policy and procedures for handling allegation information come from Management Directive (MD) 8.8, "Management of Allegations." The requirements for the handling of Privacy Act information come from the Privacy Act of 1974, as amended, and MD 3.2, "Privacy Act." The requirements for marking incoming confidential commercial or financial (proprietary) information come from 10 CFR 2.390. Requirements for electronic processing, storage, destruction, and transmission of SUNSI can be found in MD 12.6.

When more than one SUNSI group applies to information, the most restrictive handling requirement of the applicable groups should be applied.

B. Applicability NRC employees, consultants, and contractors are responsible for ensuring the procedures specified in this announcement are followed to protect SUNSI. The use of the word "contractors" includes subcont ractors.

C. Handling Requirements for SUNSI Web Address for Handling Requirements The handling requirements for SUNSI are published on the NRC internal Web site at http://drupal. nrc.gov/sunsi. The Web site contains detailed requirements for each of nine SUNSI groups in the following fourteen areas:

• Applicable document categories

• Authority to designate

• Access Marking

• Cover sheet Reproduction Processing on electronic systems Use at home o Use while traveling orcommuting Physical copytransmission Electronic copytransmission

• Storage Destruction Decontrol authority D. Generally Applicable Requirements

1. Marking Each document containing SUNSI must be properly and fully marked when such markings are required for the SUNSI group. (See item 4, Marking, in the SUNSI group handling requirements http://drupal.nrc.gov/sunsi.)

2. Need-To-Know Access A security clearance is not required for access to SUNSI. However, except as the Commission may otherwise authorize, no person, including employees of the U.S. Government, NRC, an NRC licensee or certificate holder, or an employee, agent, or contractor of a license applicant may have access to SUNSI unless that person has an established need-to-know the information for conducting official business.

If doubt exists in any particular case whether it is proper to grant access to SUNSI originating from outside the NRC, NRC contractors, or NRC licensees or applicants, consult with the originating party, the party responsible for the information, or other source from which the information is derived.

3. Ensuring legible markings on copies All copies must clearly show the protective markings on the original document. Markings on documents submitted for reproduction should be in black or red and dark enough to be reproduced legibly.

4. Packaging SUNSI for Physical Transmission Material used for packaging SUNSI for physical transmission must be opaque and of such strength and durability as to provide secure protection for the document in transit, prevent items from breaking out of the container, and facilitate the detection of any tampering with the container.

5. Profiling SUNSI in ADAMS When a document containing SUNSI is authorized to be entered into the Agencywide Documents Access and Management System (ADAMS),

personnel entering the document must ensure that one of the sensitive values (e.g., Sensitive- Security Related - Periodic Review Required, Sensitive- Proprietary, Sensitive- Protected subject to adjudicatory order, etc.) is marked in the "Document Sensitivity" profile property and that the "Availability" profile property is marked as "Non-Publicly Available."

Identifying the appropriate document sensitivity and availability along with the markings on the documents will aid in protecting SUNSI. It will also alert staff to the sensitivity of the document when it is requested under the Freedom of Information Act (FOIA) or the Privacy Act, thus ensuring that the document is properly reviewed under FOIA and Privacy Act exemptions standards.

6. Removal of Markings Normally, a document will retain its markings until the agency decides that the document will be made public either on its own discretion or in response to a FOIA request. Before releasing a document with a SUNSI marking, the marking on the copy to be released should preferably be blackened out or, at a minimum, marked through in such a way that it conveys that the marking is no longer applicable to the document. This should be done on each page containing a marking.

7. Inadvertent or Unauthorized Release of SUNSI Whenever SUNSI is inadvertently released or disclosed by NRC personnel or contractors, a security incident has occurred. Some examples of SUNSl-related security incidents include leaving sensitive unclassified documents or material unattended, unsecured, or improperly stored (including on shared network drives unless access controls are applied); improper transmission of sensitive unclassified documents or material; allowing an unauthorized person access to sensitive unclassified information; and/or failure to safeguard a sensitive unclassified lock combination.

In the event of a SUNSI security incident, in accordance with MD 3.4, "Release of Information to the Public," the office director shall promptly inform the Executive Director for Operations (EDO) and the Office of the Inspector General (OIG).

In accordance with MD 12.1, "NRC Facility Security Program," NRC employees and contractors shall report all security incidents immediately following their occurrence or observed occurrence by:

A. Completing and submitting an NRC Form 183, "Report of Security Incident." If necessary, the initial report to the Division of Facilities and Security (DFS) may be made orally but must be finalized in writing by submitting an NRC Form 183 to DFS. A report should not contain any SGI or classified information unless the report is protected according to the level of information involved when transmitted or verbally communicated to DFS through an authorized secure telecommunications system or secure information technology (IT) system. A security incident may be initially reported by telephone to 301-415-6885, or online at http://dru pal.nrc.gov/conten t/report-safety-or-security-incident.

B. A contractor shall immediately report a security incident to DFS and send a copy to the NRC project officer and/or Contract Officer Representative (COR) and the regional security advisor, if appropriate. The report must include the details of the incident, as well as the name of the person who committed it. If the contractor does not have the capability to complete and submit the NRC Form 183, the COR must do so on behalf of the contractor.

C. The NRG Form 183 must contain the following:

1) The full name of the individual involved;

2) The individual's office and title or if a contractor, the company and COR's name;

3) The classification of the information involved, but not the vulnerability if it has not been corrected; and

4) The date, reason or cause, and nature of the incident.

8. Consequences of non-compliance with protecting SUNSI Consequences of non-compliance with protecting SUNSI may include:

A. Removal of system access for a specified period of time; B. Mandated training regarding the information about the specific security incident; and/or C. Possible disciplinary action up to and including removal from Federal service or the contract. (See MD 12.1, "NRC Facility Security Program,"

and MD 12.5, "NRG Cybersecurity Program").

9. Release of Information to the Public Each document considered for routine release to the public by the agency must be reviewed to determine whether the document is releasable under NRC policy (see MD 3.4, "Release of Information to the Public"), including application of screening criteria for determining if information should be withheld from public disclosure because it could reasonably be expected to be useful to a potential adversary. (See http://drupal.nrc.gov/sunsi/34661 ).)

Each document requested by the publi'c via FOIA or the Privacy Act must be reviewed to determine whether the document, or part thereof, is releasable or is exempt from public disclosure. (See MD 3. 1, "Freedom of Information Act" and MD 3.2, "Privacy Act.")

The presence or absence of cover sheets or markings as "Allegation Information," "Investigation Information," or similar markings, does not determine whether a document may be withheld from the public. Whenever an NRC employee has a question regarding the releasability of information, the employee should consult with the employee's supervisor or-

• The Governance & Enterprise Management Services Division (GEMSD), Office of the Chief Information Officer (OCIO) if a request for information involves the Freedom of Information Act (FOIA) or the Privacy Act. (See MD 3.1 , "Freedom of Information Act" and MD 3.2, "Privacy Act.")

• The Office of Enforcement (OE) regarding allegation information .

• The Office of Investigations (01) regarding 01 investigation information.

The Office of the Inspector General (OIG) regarding OIG investigation information.

• The Office of Nuclear Reactor Regulation (NRR) or the Office of Nuclear Material Safety and Safeguards (NMSS), as appropriate, on whether a document contains 10 CFR 2.390(d)(1) information.

The Office of the General Counsel (OGC), or appropriate regional counsel, on legal questions.

Other Government and International agencies should be consulted before documents bearing restrictive markings or containing SUNS! of primary interest to them are released to the public.

10. "No Comment" Policy for SUNSI Should SUNSI appear in the public domain (e.g ., newspapers) prior to the agency's official release of that information and should an NRC employee be contacted by an organization outside of the agency to confirm or deny either the accuracy or sensitivity of the released information, the NRC employee should respond to such a request with a "no comment" statement. If an NRC employee has any questions about how to handle a request for comment about an unauthorized release of SUNSI, the employee should consult with the employee's supervisor or the originator of the information.

11. Security Preparations Required for Hearings, Conferences, or Discussions NRC personnel, NRC consultants, NRC contractor personnel, and others (e.g., bidders) who arrange or participate in hearings, conferences, or discussions (see MD 3.5, "Attendance at NRC Staff Sponsored Meetings")

involving SUNSI shall-

• Ensure before a hearing, conference, or discussion that participating personnel are identified and are authorized to have access to the information to be discussed.

• Inform participating personnel that the specific information they will receive is SUNSI and advise them of the protective measures required.

• Ensure that no discussion takes place that is audible or visible to persons not authorized access to the information.

6

8/3/2020 Security-Related Information I NRC Intranet You are here: H~me >> Offices >> SUNSI ;, Security-Related Information ADAI Security-Related Information CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc. ov 19 Table of Contents

• i~~bl~. .'?.C?E.l:!.n.:1. C..~~---~~-~~e<?.r.i~.~

~pe,l_ * .t:J.1.~.rkir.ig * ..............

Use .at .... Home

..-. -*~*

• Authority to Designate

• Cover Sh eet

• Use Wh ile Traveling or Commuting_

• Access

• _Re,p_rod!:!,~tiqr.i,

• Physical C~py 1.:r~_ns.~lsslo~

• Need-to-Know Controls

• Processln on Electronic S stems

• Electronic Co Transmission

• Storage

• Destruction

• q~-~-~r.iY.o.I ~':l.t~C?,ri,!y APPLICABLE DOCUMENT CATEGORIES 10 CFR 2.390 Information Information that could be usefu l, or cou ld reasonably be expected to be useful to a terrorist In a potential attack th at does not qualify as Safeguards or Classi fi ed Information (see Staff Gu_ldance..Jor Scr _,enlng Documents that Could _be, Useful__to.a r . rrorlst) tor AUTHORITY TO DESIGNATE NRC-Orlglnated Information: The originator proposes and the signer approves designation.

Information Received by NRC: The office principally re sponsible for th e Information.

0 ACCESS Who may have access? NRC staff, contractors, or consu ltants who have a need-to-know the information to perform their official duties.

....... lcP ..

NEED-TO-KNOW CONTROLS Do Need-to-know o Need-to-know control s must be app lied to the Information.

controls apply?

o Recommend the establishment of pre-designated user groups that exclude administ rative, other select Offices and/or groups that do not have an obvious mission need from access.

https://drupa l.nrc.gov/sunsl/34643 1/5

8/3/2020 Security-Related Information I NRC Intranet TOP MARKING What documents should Mark all pages of all documents.

be marked?

Who may authorize Originator, supervisor, or principal recipient.

document marking?

How should a document NRC-Generated Documents: Mark the top and bottom of each page

• be marked? "Official Use Only - Security-Related Information."

Docum ent s Generated by Licensees, Applicants, Co ntractors or Other Outside Person s/Organizations Subject to NRC Jurisdiction: Mark the top of each page -

"Security-Related Information - Withhold Under 10 CFR 2.390."

When Is portion or page If an ntire page of a document containing OUO-SRI contains other categories of Information, Including non-ma rking required? sensitive information.

On documents that may be released following the redaction of sensitive Information.

The following criteria apply when considering whether a document contains nuclear/security-related Information (see Crlterla_for _NuclearjSecurlty-Re lated, Information_ . ).

COVERSH EET When should a cover Not applicable.

sheet be used ?

What cover sheet Is Not appllcabl .

used ?

REPRODUCTION How many copi es may be Reprod uction is limited to t he number of copies needed for official use unless stated ot herwise on the made? document .

Coples must clearly show the original markings.

Note: Where restrictions are imposed on reproductio n, the employee must also ensure tha t there are no non -authorized copies residing in electronic systems, such as on the network drive, loca l hard drive, printers, copiers, or any other electronic medium.

tcr PROCESSING ON ELECTRONIC SYSTEMS On what Information NRC LAN and other syst ems autho rized to operate by the NRC under .~1.D 1.3.:.?, -NRC Cyber Security Program .

systems may the document be processed?

Is encryption requ ired 0 MB has directed th at all sensitive information be encrypted using on ly NIST-certified cryptographic while data Is at rest? modules both at rest and du ring t ransmission. NRC automatica lly encrypts data at rest and during tra nsmissi on within NRC facilities. Any SU NSI t hat is outside of NRC facilities must be encrypted at rest.

May the information be Security-Re lated Information may be entered Into the ADAMS M ain Library and must be profi led as Non -

https://drupa l.nrc.gov/sunsl/34643 2/5

8/3/2020 Security-Related Information I NRC Intranet processed In ADAMS ? Publicly Available and Se nsitive. Assign access rights to user groups with a need to access the Information to perform their official duties. ADAMS Sensitivity Code: A.3 - Sensitive-Security-Related - Periodic Review Requ ired USE AT HOME M ay I use the document Yes. Abide by the following requirements.

at home? Employees are prohibited from using, hand ling, and storing the inform ation at their residen ces an d on persona lly owned devices or se nding information to non-NRC email addresses (e.g., persona l email accounts) .

Occas lona I use at an em ployee's residence requi res approval of the employee's immed iate sup ervi sor or above.

To ensure that the Information Is not viewed or accessed Inadvertently or wil lful ly by a person not autho rized access, t he employee must ensure that t he Information cannot be seen by a family member, guest, or any other Individual who Is not authorized access.

Employees who work at home must perform electronic processing of SUNSI on ei th er (1) a home computer w ithin t he virtual environment provided by the age ncy through CITRIX, (2) an NRC-issu ed laptop w ith NRC-approved ncryption software, or (3) using an NRC authorized solution such as BYOD.

Employees are expressly prohibited from processing SUNSI on personally owned comp uters, even wh en an encrypted storage media Is employed.

It is discouraged to take hard -copy materia l to private residences. If hard co py material is t aken home, it must be return ed to an NRC facil ity and stored and/or destroyed according to the Instructio ns provided In th is gui dance.

May I use the Yes . Abid e by the following requirements .

Information at home Employees are prohib ited from usi ng, handling, and storing the Information at thei r residences an d on under the NRC Flexible persona lly owned devices.

Workplace Program?

If you are approved to work at home under the NRC Flexible Workplace Program, use In acco rd ance w it h standards se t forth In NRC Form 624, Flexib le Workplace Program Parti ci patio n Agreeme nt.

To ensure that the Information Is not view ed or access d Inadvertent ly or willful ly by a person not authorized access, t he employee must ensure that t he Inform atio n cannot be viewed by any other Individual who Is no authorized access.

Employees are prohib ited from processing SUNSI on personally owned computers un less connected to and working wit hin CITRIX, th e NRC Broadband Remote Access System . Employees are prohibited from downloadi ng or storing SUNSI to the hard drive of a personally owned computer wh en connected to and wo rkin g w ithi n CITRIX. Employees are also expressl y proh ibited from processing SU NSI on persona lly owned computers even when an en crypted storage media is em ployed.

Employees who work at home must perform electronic process ing of SUNS! on ei ther (1) a home computer w ithin t he virtual environment provided by the ag ncy through CITRIX, (2) an NRC-lssued laptop with NRC*

approved encryption so ftware, or (3 ) using an NRC authorized solution such as BYOD.

USE WHI LETRAV ELING OR COMMUTING M ay I use the Yes. Abid e by th e following requirements:

information whi le on Use of the information is discouraged while travelin g on public tran sportation . To ensure that the officia l travel or information Is not viewed or accessed inadvertently or w ill fu lly, the emp loyee must ensure that it cannot be commuting to or from seen by persons not authorized access. Particular ca re shou ld be t aken on a publi c conveyance or in waiting work? rooms where others may be sitting and standing in cl ose proximity to where the information is being used .

Individua ls should hand carry protected information during travel only if other means for transm itting t he information, (e.g., malling ahead, secure Information sharing), are not readily available or are operation ally unacceptable. If ha nd carrying is determ ined to be t he best transport method, care must be exercised to ensure that the information is not compromised th rough loss or inadvertent access.

https://drupa l.nrc.gov/sunsl/34643 3/5

8/3/2020 Security-Related Information I NRC Intranet Information must be kept in the traveler's personal possession to extent possible, and stored, appropriately wrapped as to reveal evidence of tampering, in hotel security facilities if possible.

Information must not be saved/stored on a persona ll y owned computer. Work must be performed on an encrypted laptop co mputer or other encrypted mobile IT device authorized for use per MD 12.5, to preclude unauthorized access If the laptop or device is lost or stolen.

The Information should be returned to an NRC authorized storage location at the earliest possible opportunity.

IC' PHYSICAL COPY TRANSMISSION May I transmit paper or Yes . Abide by the following requirements:

electronic media Inside the NRC (including Regions): Information may be -

Including CD-ROM, disk Hand-carried .

or tape?

Sent via NRC's interoffice mall system.

Sent via NRC pouch service between headquarters and the regions. Transmit In a single opaque envelope.

Sent via approved co mmercia l express carrie rs between headquarters and the regions (time-sensitive material only; use NRC Form 420). Transmit In a single opaque envelope.

Outside the NRC: Information may be transmitted by -

NRC Mess nger/NRC contractor messe nger.

U.S. Postal Service: First Class Mall, Registered Mall, Express Mall, Certified Mall. Requ st tracking service where available.

Hand-carried by any Individual authorize d access to the information . That Individ ual shall retain th e information in his or her possession where possible unless they place th docum nt In the custody of another person auth orized access.

Approved commercia l express carriers (time-sensitive material only; use NRC Form 420}; Transmit In single opaque envelope. Request tracking service where available.

Other means approved by OIS and the Director, Division of Facilities and Security, ADM .

Incoming to the NRC: Electronic submissions, Including CD-ROMs, submitted to the NRC shou ld fol low the E-Rule "Guidance for Electronic Submission to the Agency," available on NRC's external W b site at:

(httpj/www.nrc.gov/site-help/ electronic-sub-ref-mat.html}.

Encryption:

All electronic media (CD-ROM, disk, tape, hard drives, thumb drives, etc.) must be encrypted In accordance with MD 12.5.

ELECTRONIC COPY TRANSMISSION May I transmit the Yes. Abide by the following requirements:

document electronically Inside the NRC (Including Regions): Information may be emai led or faxed .

by e-mail or fax? Outside the NRC: Electronic transmissions (e.g., e-mail, fax) outside the NRC must be encrypted In accordance with MD 12.5.

Please follow the guidance outlined in the Office of the Chief Information Officer Issued announce ment 9.~!ed,.~ U!!l!S,tJi..?91 ?.*

Use of portals that encrypt the information during t ransmission, such as "BOX" are highly encouraged.

Electronic files must contai n appropriate markings.

IOP https://drupa l.nrc.gov/sunsi/34643 4/5

813/2020 Security-Related Information I NRC Intranet STORAGE Inside the NRC (Headquarters and Regional Offices): Store in non-locking or locking container at t he end of each business day or when not in U!>e.

Outside the NRC (Resident Inspector Sites): Store in key locked desks or other key locked containers.

On NRC Electronic Systems: May be stored on NRC encrypted computer systems that are authorized to operate under MD 12.5.

For storage requirement s of other Federal, State, Foreign Govern ment, and International Agency con troll ed information use th eir guideli nes (See).

I TO DESTRUCTION Official Record Version: Destroy In accorda nce w ith NRC Comprehensive Records Disposition Schedule (NUR EG -0910) ,

Non-Official Record Copies: Destroy as Indicated below :

Using an ADM/D FS approved shredder that has been approved to destroy Classified Information, Safeguards Information, SUNSI, and Co ntrolled Uncl assified Information (CUI) .

Placed In a Sensitive Uncla ssifi ed Waste Disposa l Conta in ers.

Tear Into one-hal f Inch pl ces or small er (In all dim nslons) and dlspos of In a waste receptacle.

Burning, pulping, pulverizing, or chemical decomposition.

Electronic Data: Use NRC authorized destruction methods In accordance with MD 12.5.

101 DECONTROL AUTHORITY Originati ng office or office pr ima rily responsible for the information.

IOI' https:/ldrupa l.nrc.gov/sunsl/34643 515

8/3/2020 Sensitive Internal Information I NRC Intranet You are here: H~me >> Offices >> SUNSI ;, Sensitive Internal Information ADAI Sensitive Internal Information CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc. ov 19 Tabl e of Content s

• ~pe,l_

i~~bl~. .'?.C?E.l:!.n.:1. C..~~---~~-~~g<?,_

r_

i~.~ * .t:J.1.~.rkir.ig * ...............

Use at .... Home

..-. ~-~-

• Authority to Designate

• Cover Sheet

• Use Wh ile Traveling or Commuting_

• Access

• _Re,p_rod!:!,~tiqr.i,

• Physical C~py 1.:r~_ns.~lsslo~

• Nee d-to-Know Controls

• Processln on Electronic S stems

• Electronic Co Transmission

• Storage

• Destruction

• q~-~-~r.i.\.f.o.I ~':l.t~C?.ri,!y APPLICABLE DOCUMENT CATEG ORIES Attorn ey-Client Privilege Attorn ey Work Product Includes any predeclslonal Information that rises to a level of sensitivity to justify it being protected as SUNSI. As such SIi includes pr edeclslona l enforce ment Information but can also Include other types of predeclslonal Information. A subject matter expert should make a determination whether the specifi c predecisional Information rises to a level that requires protecting It as SUNSI.

Information submitted to the Commission marked "Sensitive" Information Systems Vulnerability Information (Information th at, If not protected, could resu lt In adverse effec ts to Information syste ms)

Sensitive

• Not For Distri bution (Except to Commission Adjudicatory Employees In Accordance with 10 CFR 2.348)

Source selection Information other than proprietary Informati on TOP AU THORITY TO DESIGNATE For NRC originated Information, originator proposes - signer approves .

For NRC received information, office pri ncipally responsible for the information.

ACCESS Who may have access? NRC employees or NRC contractor employees who have a need-to-know th e information to perform their https://drupa l.nrc.gov/sunsl/34644 1/6

8/3/2020 Sensitive Internal Information I NRC Intranet official duties.

10P NEED-TO-KNOW CONTROLS Do Need-to-know o Need-to-know contro ls must be applied to the information .

controls apply?

o Recomm end the establishment of pre -designated user groups that exclude administrative and other selected Offices without an obvious mission need from access.

MARKING What document s should Mark all pages of all documents.

be marked?

Who may authorize Originator, supervisor, or principal recipient.

document m arking?

How should a document Mark at top and bottom of each page.

be marked?

Mark as " Official Use Only - Sensitive Internal Information" OR use more specific markings, as Illustrated in the following exa mples:

For Attorney-Client Privilege: "Official Use Only -- Attorney-Clie nt Privilege "

For Attorney Work Product: "Official Use Only - Attorney Work Product "

For Predecislonal Enforcement Information: " Offi cial Use Only - Predeclslonal Enforcement Information" For Adjud icatory Materia l: "Official Use Only - Adjudicatory Material" When Is portion or page If an entire page of a document containing OUO-SRI contains other categories of Information, including non-marking required? sensitive Information.

On documents that may be released following the redaction of sensitive information .

The following criteria apply when considering wh ether a document co ntains nuclear/security-related information (see f~!.!e,r,!,~,_for N..ucl.~.~.~( Sef~.l ty,: R,.~1~.~~.d ln,to,nn au,~~-...... ),

TOP COVERSHEET When should a cover Not required.

sheet be used? Note : Use of the green "Official Use Only" cover sheet has been discontinued.

What cover sheet ls Not applicable.

used? ft)p REPRODUCTION How many copies may be Reproduction Is limited to the number of cop ies needed for official use unless document contains made? restrictions.

Copies muist clea rly show the original markings.

https://drupa l.nrc.gov/sunsi/34644 2/6

813/2020 Sensitive Internal Information I NRC Intranet Note : Where restrictions are imposed on reproduction, the employee must also ensu re that there are no non-authorized copies residing in electronic systems, such as on the network drive, local hard drive, printers, copiers, or any other electronic medium.

TCJ~

PROCESSING ON ELECTRONIC SYSTEMS On what Information NRC LAN and other system s authorized to operate by the NRC und er M D _12.5, NRC Cybersecurity Program ."

systems may the document be processed?

Is encryption required 0MB has directed that all sensitive information be encrypted using on ly NIST-certi fied cryptographic while data Is at rest? modules both at rest and during transmission . NRC autom atica lly encrypts data at rest and during transmission within NRC facilities. Any SUNSI that is outside of NRC facilities must be encrypted at rest.

May the Information be Sensitive Interna l Information may be en tered Into th e ADAM S Main Library and must be profiled as Non-processed in ADAMS? Publ icly Availabl e and Se nsitive. Assign access rights to user groups with a need to access the information to perform th Ir official duties. ADAMS Sensitivity Code: A.7 Note: Sensitive Internal Information has two (2) sub-categories within the A.7 sensitivity code. Therefore, you must se lect the proper A.7 based on t he fo ll owing criteria :

Sensitive Internal Information

• No Periodic Review Required

• contains attorney-client privilege, attorney work product, or predeclslonal enforcement Information.

Sensitive Internal Information

• Periodic Review Required

• contains all other Sensitive Internal Information ICP USE AT HOME May I use the document Yes. Abide by the following requirements :

at home? Employees are prohibit d from using, hand ling, and storing th Information at their residences and on persona lly owned devices or se nding information to non-NRC email addresses (e.g., personal email accounts) .

Occaslona I use at an emp loyee's resld nee r quires approva l of th mployee's lmmedlat upervlsor or above.

Electronic work from home must use an NRC computer or an NRC authorized capability, suc.h as BYOD or CITR IX.

To ensure that the Information Is not viewed or accessed Inadvertently or willfully by a person not authorized access, the employee must ensure that the information cannot be seen by a family member, guest, or any oth er Individual who Is not authorized access.

Employees are prohib ited from processing SUNSI on persona lly owned computers un less connected to and working within CITRIX, th e NRC Broadband Remote Access System . Employees are proh ibited from downloading or storing SUNSI to t he ha rd drive of a personally owned computer when connected to and working within CITRIX. Employees are also prohibited express ly from processing SU NSI on persona ll y owned computers even when an encrypted floppy disk, CD, DVD, or thumb drive is t he storage media.

Employees who work at home must perform electronic processing of SUNSI on eith er (1) a home computer within the virtual environment provided by the agency through CITRIX, (2) an NRC-lssued laptop w ith NRC-approved encryption software, or (3) using an NRC authorized solu tion such as BYOD.

It is discouraged to take hard -copy material to private residences . If hard copy material is taken home, it must be returned to an NRC facility and stored and/or destroyed accord ing to the inst ructions provided in this guidance.

May I use the Yes . Abide by the following requirements.

https:/ld ru pa l.nrc.gov/sunsl/34644 316

8/3/2020 Sensitive Internal Information I NRC Intranet Information at home If you are approved to work at home under t he NRC FleKible Workplace Program, use in accordance with under the NRC Fle><ible standards set forth In NRC Form 624, FleKible Workpl ace Program Participation Agreement.

Workplace Program?

To ensure that the information is not viewed or accessed inadvertently or willfully by a person not authorized access, the employee must ensure that t he information cannot be seen by a family member, guest, or any oth er individual who Is not authorized access.

Employees are prohibited from processing SU NSI on personally owned computers un less connected to and working within CITRIX, the NRC Broadband Remote Access System . Employees are prohibited from downloading or storing SUNSI to the hard drive of a personally owned computer wh en connected to and wo rking within CITRIX. Employees are also eKpressl y prohibited from processing SU NSI on personally owned computers even when an encrypted storage media is employed.

Employees who work at home must perform electronic processing of SUNSI on either (1) a home computer within the virtual environment provided by the ag ncy through CITRIX or (2) an NRC-lssued laptop with NRC-approved encryption software, or (3) using an NRC authorized solution such as BYOD.

....... ror....

USE WHILE TRAVELING OR COMMUTING May I use the Yes. Abid e by th e following requirements:

Information while on Use of the information Is discouraged while traveling on publi c transportation. To ensure that the official travel or information Is not vie wed or accessed inad vertently or willfully, the employee must ensure that it cannot be commuting to or from se n by persons not authori zed ace ss. Particular ca re should be tak non a public conveyance or in waiting work? rooms where others may be sitting and standing In close proKimity to wh ere the information Is being used .

Individuals should hand carry protected Information during travel only If other means for transmitting the information, e.g., malling ahc d, secure Information sharing, are not read ily available or ar operationa lly unacceptable. If hand carrying Is determined to be the best transport method, care must be exercised to ensure that the Information Is not comp romised th rough loss or Inadvertent access.

Information must be kept In the traveler's persona l possession to extent possible, and stored, appropriately wrapped, In hotel security facilities If possible.

Inform ation must not be saved/ stored on a persona lly owned computer. Wo rk must be performed on an encrypted laptop co mputer or other encrypted mobile IT device to preclude unauthorized access If the laptop or device Is lost or stolen..

The information should be returned to an NRC authorized storage location at the earliest possible opportunity.

I 10~

PHYSICAL COPY TRANSMISSION May I transmit paper or Yes. Abide by the following requlr ments:

electronic media Inside the NRC:

Including CD-ROM, disk Elec tronic submissions, including CD-RO Ms, submitted to the NRC should follow the E-Ru le " Guidance for or tape?

Electronic Submission to the Agency," availa bl e on NRC's external Web site at: (_h_~pj/ www.nrc. ,9_':'.bitt?..:

~~.l,e/.~ 1.ec! rpni.~~s~.?*r~.f:~~.!.:.~t~l,l.

Outside the NRC: Information may be transmitted by-NRC Messenger/NRC contractor messenger.

U.S. Posta l Service: First Class Mail, Registered Mail, EKpress Mail, Certified Mail.

Hand-carried by any Individual authorized access to the information . That individual shall re-tain the Information in his or her possession to the maKimum eKten t possible unless th ey place the document In the custody of another person authorized access.

Approved commercial eKp ress carriers (time-sensitive material only; use NRC Form 420); Transmit in single opaque envelope .

https://drupa l.nrc.gov/sunsl/34644 4/6

8/3/2020 Sensitive Internal Information I NRC Intranet Other means approved by OIS and the Director, Division of Facilities and Security, ADM .

Incoming to the NRC: Electronic submissions, including CD-ROMs, submitted to the NRC should follow the E*

Rule "Guidance for Electronic Submission to the Agency," available on NRC's extern al Web site at:

(~p://vppt~-9rc:&9X/~it~-p~lp/~I.~cp:9pi_c~s.Y.~:~e.f~rq~t.~qtrnI)

Encryption:

All electronic media (CD-ROM, disk, tape, hard drives, thumb drives, etc.) must be encrypted In accorda nce with MD 12.5.

ELECTRONIC COPY TRANS MISSION May I transmit the Yes. Abide by the following requireme nts :

document electronlcally Inside the NRC (Including Region s): Information may be emai led or faxed.

by e-mail or fax?

Electronic tran smissions (e.g., e-mail, fax) outside th e NRC must be encrypted In accordance with MD_12.5 Outside the NRC: Information may be trans mitted by -

Fax: May use non-secure facilities where it is confirmed that a recip ient who Is authorized to access the Information will be prese nt to receive the in formation.

E-Mail: All SUNSI Information must be encrypted during transmission outside of the intern al network as stated In .~D,_g :_5,- Please follow the guidance outlined In the Office of the Chief Information Officer Issued announcement dated August 9, 2017.

Use of portals that encrypt the Information during transmission, such as "BOX" are highly encou raged.

Otherwise, transmit a physical copy In the manner set forth above.

Electronic files must contain appropriate markings .

..... *er STORAGE Inside the NRC (Headquarters and Regional Offices): Store In non-locking or locking co ntainer at the end of each business day or wh en not in U!'>e.

Outside the NRC (Re sident In spector Sites): Store In key locked desks or other key locked co ntainers.

On NRC Electronic Systems: May be sto red on NRC encrypted computer systems au thorized to operate under M.,D} ,2:?.*

...... TOI ,

DESTRUCTION Official Record Version: Destroy In accordance with NRC Comprehensive Records Disposition Schedule (NUREG -0910) .

Non-Offfc:lal Record Coples: Destroy copies other than the offi cia l record version by any means that prevents reconstruction In whole or part, In luding the following methods:

Using an ADM/DFS approved shredder that has been approved to destroy classified information, Safeguards Information, SU NSI, and Controlled Unclassified Information (CUI) .

Placing In a Sensitive Unclassified Waste Dispo sal Container.

Tearing Into one-half Inch pieces or smaller (in all dimensions) and dispose of In a w aste receptacle.

Burning, pulping, pulverizing, or chemical decomposition.

Electronic Data: Use NRC authorized destruction methods In accordance with MD 12.S.

01 DECONTROL AUTHORITY https://drupa l.nrc.gov/sunsl/34644 5/6

8/3/2020 Sensitive Internal Information I NRG Intranet Originating office or office primarily responsib le for the information .

TOP https://drupal .nrc.gov/sunsi/34644 6/6

8/3/2020 Sensitive Unclassified Non-Safeguards Information (SUNS!) I NRC Intranet You are here: HC?me >>Offices >> Sensitive Undassified Non~S;afeguards Information (SUNSI} ADA!

Sensitive Unclassified Non-Safeguards Information (SUNSI)

SUNS! Is defined as any Information of which the loss, misuse, modification, or unauthorized access can reasonably be foreseen to harm the public Interest, the commercial or financia l Interests of the entity or individual to whom the information pertains, the conduct of NRC and Federal programs, or the personal privacy of Individuals.

The NRC generates and receives many categories of documents containing SUNS!. Eacri category of documents fa lls into one of nine SUNSI handling groups. NRC employees, consultants, and contractors are responsiblle for properly protecting SUNSI documents in accordance with procedures established for the eight handling groups.

The presence or obsence of morf<lngs or cover sheets does not entirely determine whether a document may be withheld from or released to the public. Whenever on NRC employee hos o question regarding the denlol or releasab/1/ty of a document, whether It Is marked or not, the employee should consult with their supervisor ond/or the originator of the document, the SUNS/ guidance contained on this site, and M D 3.4, "Release of information to the Public."

General guidance applicable to all SUNSI handling groups is contained In .~R.S.~.O..l.l~y an~...~.ro~~-d~r~sfor.ti~.~-dli~.~! -~ .~.r.~!.n~t ~.~d P~.<?~e~.t:!~~

Sensitive Unclassified Non-Safej!uards Information (SUNSI) . For detailed Information on handling requirements for each of the nine SUNSI groups, follow the appropriate link below, or use the navigation buttons above.

Staff are reminded of the need to protect SUNSI via yellow announcement YA-10-0102, Policy Reminder of the NRC's Policy for Protecting SUNS/ as Described In the NRC Polley for Handling, Marking, and Protecting SUNS/ and Applicable MDs," (ML192980153..0 ). Specifically, the YA notes possible consequences of non-compliance with protecting SUNS! Including: (a) removal of system access for a specified period; (b) mandated training regarding the Information about the specific security Incident; and (c) possible disciplinary action up to and including removal from the Federal service.

SUNSI Information must be protected with respect to "need-to-know." The definition of need-to-know was provided via yellow announcement YA-16-0052, "Change to Need-to-Know Definition" (ML16111A43}_,~ ). The definition Is stated as follows:"

"Need-to-Know"

1. A determination by o person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards Information, or sensitive unclassified Information, that o proposed recipient's access to the sensitive Information Is necessary In the performance of an official and lawful requirement.

2. Knowledge, possession of, or access to, sensitive Information Including classified, safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position, or security clearance.

The Commission has approved the Office of General Counsel's guidance and recommendations for program offices regarding finalized procedures to allow potential intervenors to gain access to relevant records that contain sensitive unclassified non-safeguards information and safeguards information. To review the guidance and recommendations see the fina l procedures (ML080440239 0 ) and SRM-SECY 0215 (ML080320502 0 ).

All SUNS/ must be encrypted when the information is outside of NRCfacilities as stated in MD 12.5. This includes the requirement to encrypt the information during transmission outside of the Internal network. All encryption used by NRC must use FfPS 140 validated algorithms and cryptographic modules or encryption https://drupal.nrc.gov/sunsi 1/4

8/3/2020 Sensitive Unclassified Non-Safeguards Information (SUNSI) I NRC Intranet approved by the Notional Security Agency for protection of classified information. Contact Kathy Lyons-Burke, Senior Level Advisor for Information Security, Office of the Chief Information Officer (OCIO) with any questions regarding information protection policy.

SUNSI Groups Applicable Document Categories Allegation Information Confidential Allegation Information Sensitive Allegation Information Investigation Information Office of the Inspector General (OIG) Investigation-related documents Office of I nvestlgatlon s (01) Inve stigation-re lated document Crltlcal Electric -

Information related to a system or asset of the bulk-power system, wh ether physical or virtual, the

!nJr.~.str!:l~-~!:lt~ .!.~_fo,r')".~.~~~ Incapacity or destruction of which would negatively affect nationa l secu rity, economic secuirlty, (CEIi) public health or safe ty, or any combination of such matters.

CEIi is exempt from disclosure under the Freedom of Information Act, S U.S.C. SS2(b )(3), and Includes ( but Is not limit d to) sp clflc engineering, vulnerability, or detalled design Information about proposed or existing critica l Infrastructure that:

(i.) Relates details about the production, generation, transportation, transmission, or distribution of energy; (Ii.) Could be usefu l to a person In planning an attack on critical Infrastructure; and (Ill.) Does not simply give the general location of the critical Infrastructure.

(S CEIi page: "what documents should be marked" and "how should a document I:>

marked" sections for guidance on marking documents received or generated by NRC as CEIi .)

.~!!.P.!>_ rt Controlled Statutory and r gulatory authorities for export contro lled Information (ECI) provld designation

!nfC?r,.ma~.C?"n. (~9!. authority to agencies other than the U.S. Nuclear Regulatory Commission (NRC). Questions about ECI designations should be ref rred to the Office of the Chi f Information Officer who w ill coordinate with the U.S. Department of Energy (DOE), U.S. Department of Commerce (DOC), or U.S. Department of State (DOS) as necessary.

~ c.~Jlty-~-~!at!~ 10 CFR 2.390 Information Information Licensee-su bmitted Information that may qualify as Critical Infrastructure Information as defined by other agenci es including -

- Sensitive Security Information (SSI) - Transportation Security Administration (TSA)

Information that could be usefu l, or could reasonably be expected to be useful to a terrorist In a potential attack that does not qualify as Safegua rds or Classified Information (see Staff Guidance for Screening Documents for Information t hat Cou Id be Useful to a Terrorist)

Sensitive Homeland Security Information - Department of Homeland Security (OHS) to define Proprietary Information Trade Secrets or Confidential Commercia l or Financia l Information.

INPO Priv.ate - Institute of Nuclear Power Operations (INPO)

Source Eva lu ation Proprietary Data

!'tlvac Act/Personall'l Privacy Act - All Information contained in a Privacy Act System of Records (see the "Privacy Act https://drupa l.nrc.gov/sunsl 2/4

813/2020 Sensitive Unclassified Non-Safeguards Information (SUNSI) I NRC Intranet Identifiable Information .? stem of Records Notice Cl> ").

Persona l I Identi fiab le Information PII ).

• All information that can be used to disti nguish or t race an individual's identity.

PII Relationship to Privacy Act - Only PII that is pa r t of a Privacy Act system of records will be protecte d by the provisions of the Privacy Act. Therefore, while some PII may be considered Privacy Act information, not all of it is. PII that is contained in docu ments, files, or databases not part of a system of records will not receive the spec ific benefi ts of this legal protection but is to be treated In accordance with applicable agency po licy for handling sensitive inform ation.

Federal-, State-, Forel~.' ! information not to be released to foreign nationals without the permission of th e author or Government- and

................... , ,,,w ............ , .. ,

originating agency (NOFORN)

!'!ternational Ag_!!!~~=

Not For Pu bl ic Disclos ure Under Terms of the Joint Convention on the Safety of Spent Fue l Controlled Information Man age m ent an d the Safety of Radioactive Waste M anagement La w Enforcement Se nsitive (Federal & State Law Enforcement Agencies )

For Officia l Use Only (FOUO) - Department of Defense (DOD)

Official Us On ly (OUO) - Department of Energy (DOE)

Unclasslfi,ed Controlled Nuclear Informatio n (UCNII) - DOE Naval Nuclear Propulsion Information (NNPI) - DOE Sensitive but Unclassified (SBU) - Department of State (DOS)

Govern ment-Controlled Inform ation Foreign Government-Controlled Information State Age ncy-Cont ro iled Information Senslttv Intern I Attorney-Client Privi lege Information

....... ,~ .... ~,, .. , ......... w .... ..

Attorney Work Product Predeclsional Enforce ment Information Sensitive - Not For Distribution (Except to Commission Adjudicatory Employees in Accordance w ith 10 CFR 2.348) information su bmitted to t he Commission marked "Se nsitive" Source se lection Information other th an proprietary Inform ation Consolidated guidance on SUNSI was developed In response to recommendations made by the EDO's Task Force on Management of Sensitive Unclassified Non-Safeguards Information (SUNSI). The final report of the task force is available In ADAMS under accession number ML043170097.

CUI Briefing https:/ldrupa l.nrc.gov/sunsl 314

8/3/2020 Sensitive Unclassified Non-Safeguards Information (SUNS!) I NRC Intranet 1S00 - CUI Briefing - January 27, 2017 a

• p, nt t1 onumv 1 (Jllut I) N1 Jr. /Ar h,vr 011d~r l'Jrd AdmmMI 1rt1 fl What 's New In SUNS!? ~ SU NS! is bei ng transition ed to Controlled Unclassified Information (CUI)

SUNSI Polley and Procedur~s

~ Inadvertent or Unauthorized Release of SUNSI lie Marki ng SUNSI In Electroni c Format s IT!fi1

,... Frequently Asked Questions Cont act SUNSI. R sourc @nrc.gov ~

https://drupal .nrc.gov/sunsl 4/4

8/3/2020 Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRC Policy for Handling, Marking, and Protecting SUNS! a ...

You are here: Home >> Announcements )) Policy Reminder >> Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRC Policy for Handling, Marking, and Protecting SUNS1 and Applicable MOS ADAI United States Nuclear Regulatory Commission

Subject:

Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRC Policy for Handling, Marking, and Protecting SUNSI and Applicable MDs ANNOUNCEMENT CATEGORY Policy Reminder ML #

ML19298D153 MANAGEM ENT DIRECTIVE#: MD 12.1, MD 12.5, MD 12.6 Yellow Announcement: YA-19-0102 Date: December 9, 2019 Expiration Date: June 30, 2020 TO: All NRC Employees

SUBJECT:

POLICY REMINDER OF THE U.S. NUCLEAR REGULATORY COMMISSION'S POLICY FOR PROTECTING SENSITIVE UNCLASSIFIED NON-SAFEGUARDS INFORMATION AS DESCRIBED IN THE NRC POLICY FOR HANDLING, MARKING, AND PROTECTING SENSITIVE UNCLASSIFIED NON-SAFEGUARDS INFORMATION AND APPLICABLE MANAGEMENT DIRECTIVES The Office of the Chief Information Officer (OCIO), has become aware of several recent security Incidents regardi ng the handling of sensitive unclassified non-safeguards Information (SUNS!), Including some that could have potentially resulted In a release of Information to external entities without a need-to-know. Additionally, OCIO's Data Loss Prevention monitoring tools have continued to identify the transm ission of unencrypted SUNS,! Information to external parties and personal e-mail. Although these incidents are reported to office management, them ishandling of SUNS!

Information persists. This Yellow Announcement reminds staff of the U.S. Nuclear Regulatory Commission (NRC) policy for protecting SUNS! and reinforces NRC policy for noncompliance Including potential disciplinary action.

Background

Management Directive (MD) 12.6, " NRC Sensitive Unclassified Information Security Program," describes NRC policy regard ing NRC personnel responsibility for ensuring that sensitive unclassified information is marked, handled, and protected from unauthorized disclosure under pertinent laws, other NRC MDs, and applicable directives of other Federal agencies and organizations. The SUNSI policy, posted on the SUNSI Web site, "~fl.~

.P.,c:>,licy for Handline!.M ,~r.~l ~SJ.,and Protecttns Sensitive Unclassified Non-Safegu~_r~~.,!,~.f c:irmation ," updated SUNS! categories and describes applicable requirement s not included in MD 12.6. MD ,12.1, " NRC Facility Security Program," describes NRC policy regarding potential consequences for failure to protect against unauthorized disclosure of SUNS! and other types of information.

Other documents that describe NRC policy regard ing marking, handling, and p rotection of SUNS! are:

1. For the release of information to the public - MD 3.4, "Release of Information to the Public";

2. For electronic processing, storage, destruction, and transmission of SUNSI including storage of SUNSI on share drives - MD,,12.5, "NRC Cybersecurity Program" and the "N_RCAgency-wlde Rules of Behavior for Authorized Computer Use";

3. For handling allegation information - MD 8.8, "Management of Allegations"

4. For handling of Privacy Act information - M D 3.2, "Privacy Act," and the Privacy Act of 1974;

5. For security incidents, infractions, and vi olations of SUNSI disclosure - M D 12.1, "NRC Facility Security Program"; and https://d rupa l.nrc. gov/announcements/yellow/policy-rem i nder/58541 1/3

8/3/2020 Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRC Policy for Handling, Marking, and Protecting SUNS! a ...

6. For marking incoming confidential commercial or financial (proprietary) information -

10 CFR 2.390.

As described in the "NRC Policy for Handling, Marking, and Protecting Sensitive Unclassified Non-Safeguards Information," SUNSI is organized into the following nine groups:

1. Allegation Information;

2. Investigation Information;

3. Critical Electric Infrastructure Information;

4. Export Controlled Information;

5. Security-Related Information;

6. Proprietary Information;

7. Privacy Act/Personally Identifiable Information;

8. Federal-, State-, Foreign Government-, and International Agency-Controlled Information; and

9. Sensitive Internal Information.

To the extent that a different statute, regulation, or other directive already established the requirements for a particular SUNSI group, this policy incorporates those preexisting requirements. For example, MD 8.8 establishes the requirements and procedures for handling allegation information, while the Privacy Act of 1974, as amended, and MD 3.2 lay out the requirements for handling Privacy Act information. Further, 10 CFR 2.390 establishes the marking requirements for incoming confidential commercial or fi nancial (proprietary) Information. Finally, MDs 12.1 and 12.5 contain the requirements for electronic processing, storage, destruction, and transmission of SUNSI. When more than one SUNS! group applies to l11fu11natio11, lhl! IIIOSl ,e~tilclive handll1111 requhl!lfll! nl or lht! ap µl lcdUll! 111ouµ df)f)llt!~-

While the NRC is currently working to Implement the Controlled Unclassified Information (CUI) program, the SUNSI policies remain In place until the CUI program Is fully Implemented. NRC employees and contractors will be Informed of plans to support the NRC's transition to CUI. Additional information on the CUI program is available at the NRC's CUI Web sit.~.

Appllcablllty NRC employees, consultants, and contractors aro responsible for ensuring that SUNS! Is protected In accordance with the procedures specified In applicable policies, The use of the word "contractor" Includes subcontractors. SUNSI s.ecurlty Incidents, as described In MD 12.1 Handbook Part VIII, Section B, Include: leaving sensitive unclassified documents or material unattended, unsecured, or Improperly stored (Including shared network drives unless access controls are applied); Improper transmission of sensitive unclassified documents or material; allowing an unauthorized person access to sensitive unclassified Information; and/or failure to safeguard a sensitive unclassified container combination. Consequences of non-compliance with protecting SUNSI may Include: (a) removal of system access for a specified perlod;(b) mandated training regarding the information about the specific security Incident; and/or (c) possible disciplinary action up to and including remova l from the Federal service.

If you have any questions regarding this policy and procedures, cont act ~UNS_l:,~es~u~~~@n.r.~J9..Y..~ *

/RA/

David J. Nelson Chief Information Officer Management Directive

References:

1. MD 12.1, "NRC Facility Security Prosram," Handbook Part VIII (8)(2) and (E)(2)

2. MD 12.5, "NRC Cybersecurlty ProgJa_m," Handbook Including "NRC Agency-wide Rules of Behavior for Authorized Computer Use"

3. MD 12.6, "NRC Sensitive Unclassified Information Security Pro~!am," Handbook Part I (A)(2) and (B)

SUBMITTER'S EMAIL Adam,Glazer@nrc.gov AUTHORIZING OFFICIAL David Nelson SIGNATURE DATE Monday, December 9, 2019 PUBLISH ON https:l/drupal.nrc,govlannouncements/yellow/policy-remlnder/58541 2/3

813/2020 Policy Reminder of the NRC'S Policy for Protecting SUNSI as Described in the NRG Policy for Handling, Marking, and Protecting SUNSI a ...

Monday, December 16, 2019 YELLOW NUMBER YA-19-0102 https:1/drupal .nrc.gov/announcements/yellow/policy-reminder/58541 3/3

8/3/2020 Proprietary Information I NRC Intranet You are here: H~me >> Offices >> SUNS I ;, Proprietary Information ADAI Proprietary Information CONTENT OWNER Page conten t maintained by: SUNSI.Resource@nrc. ov 19 Table of Contents

• ~pe,l_

i~~bl~. .'?.C?E.l:!.n.:1. C..~~---~~-~~g<?,_

r_

i~.~ * .t:J.1.~.rkir.ig * ...............

Use at .... Home

..-. ~-~-

• Authority to Designate

• Cover Sheet

• Use Wh ile Traveling or Commuting_

• Access

• _Re,p_rod!:!,~tiqr.i,

• Physical C~py 1.:r~_ns.~lsslo~

• Nee d-to-Know Controls

• Processln on Electronic S stems

• Electronic Co Transmission

• Storage

• Destruction

• q~-~-~r.1.\,r,o,I ~':l.t~C?.ri,!y APPLICABLE DOCUMENT CATEGORIES Trade Secrets or Confidential Commercial or Financial Information.

INPO Private - Institute of Nuclear Power Operations (INPO).

Source Evaluation Proprietary Data.

Information or records concerning a licensee 's or applicant's physica l protection, cl sslfied matter protection, or material control and accounting program for special nuclear material not otherwise designated as Safeguards Information or class ified as Nation I Security Information or Restricted Data.

Information submitted In confidence to the Commission by a foreign source.

AUTHORITY TO DESIGNATE Business originator makes proprietary claim. For proprietary Information to be protected, NRC must accept proprieta ry claim based on review by the respon sible office and OGC, when needed.

TOP ACCESS Who may have access? NRC staff, contractors and consultants who have a need-to-know the Information to perform their official duties andl have the proper clearance.

1or https://drupa l.nrc.gov/sunsl/34642 1/5

8/3/2020 Proprietary Information I NRC Intranet NEED-TO-KNOW CONTROLS Do Need-to-know o Need-to-know contro ls must be applied to the information .

controls apply?

o Recommend the establishment of pre-designated user groups that exclude administrative, other se lect Offices and/or groups that do not have an obvious mission need from access.

MARKING What documents should Mark all documents containing Trade Secrets or Confidentia l Commercial or Financial Information.

be marked?

Do not mark documents from INPO de signated INPO Private.

Who may authorize NRC recipient or origi nator (or supervisor) pursuant to 10 CFR 2.390.

document marking?

How should a document NRC Generated Documents:

be marked? The top arnd bottom of each page should be marked -" Offi cial Use Only - Proprietary Information ."

Incoming Docum ents:

Marking requirements are defined In 10 CFR 2.390(b) and require marking only at the top of page, and each successive page containing proprietary Information, and adjacent to the specific proprietary Information.

When is portion or page Required for al l documents.

marking required?

If the entire page Is not affected, Indicate the basis (I.e., trade secret, etc.) for the designation adjacent to the protected Information. See 10 CFR 2.390 (b)( l)(l)(B ).

TOP COVERSHEET When should a cover Not required.

sheet be used?

What cover sheet Is Not applicable.

used? Note: Use of the yellow Proprietary Information cover sheet has been discontinued, and must not be used.

ro REPRODUCTION How many copies may be No reproduction for INPO Private without INPO permission; otherwise see below.

made?

Copies must clearly show the original markings.

Abide by copyright restrictions .

Reproduction limited to number of copies needed for official use.

Note : Where restrictions are Imposed on reproduction, the employee must also ensu re that there are no non-authorized copies residing in electro nic systems, such as on the network drive, loca l hard drive, or removable storage media .

TOf https://drupa l.nrc.gov/sunsl/34642 2/5

813/2020 Proprietary Information I NRC Intranet PROCESSING ON ELECTRONIC SYSTEMS On what information NRC LAN and other systems authorized to operate by the NRC und er MD 12.5, "NRC Cybersecurity Program ."

systems may the document be processed?

Is encryption required 0MB has directed that all sensitive Information be encrypted using on ly NIST-certified cryptographic while data is at rest? modules both at rest and during transmission . NRC automatical ly encrypts data at rest and during transmission within NRC facilities. Any SUNSI that Is outside of NRC facilities must be encrypted at rest.

May the Information be Proprietary Information may be entered into the ADAMS Main Library and must be profiled as Non-Publicly processed In ADAMS? Avai lable and Sensitive. Assign access rights to the group " NRC Users" . ADAMS Sensitivity Code: A.4 -

Sensitive-Proprietary- No Periodic Review Required.

10 USE AT HOME May I use the document Yes, abide by the following requirements:

at home or under the If you are approved to work at home under the NRC Flexible Workpl ace Program, use In accordance with NRC Flexible Workplace standards set forth In NRC Form 624, Flexible Workplace Program Participation Agreement.

Program?

When using at home or at an alternate work location abide by the following:

Employees are prohibited from using, hand li ng, and storing the Information at their residences and on personal ly owned devices or se nding Information to non-NRC email addresses (e.g., personal email accou nts). See exceptions be low.

Occaslona I use at an emp loyee's residence requires approva l of th employee's Immediate supervisor or above.

It Is discourage to take hard -co py materia l to private residences. If hard-copy material Is taken home, it must be brought back to an NRC facility and sto red and/or destroyed prop rly, To ensur that the Information Is not view d or access d ln adv rtently or willful ly by a person not authorized access, the employee must ensure that the Information cannot be seen by any individual who is not authorized access.

Employ es who work at home must p rform lectronlc processing of SUNSI on ei ther (1) an NRC-lssued laptop with NRC-approved encryption software, (2) a home computer within the virtual environment provided by the agency through CITRIX, or (3) using an NRC autho ri zed so lution such as BYOD, Employee s are prohibited from processing SU NSI on personally owned computers un less connected to and working within CITRIX, the NRC Broadband Remote Access System. Employees are prohibited from downloading or storing SUNSI to the hard drive of a personally own d computer wh en connected to and working within CITRIX. Employees are also prohibited expressly from processing SUNSI on persona ll y owned computers even when an encrypted storage media is employed.

i toe USE WHILE TRAVELING OR COMMUTING May I use the Yes, abide by the following requirements:

Information while on Use of the Information Is discouraged while traveling on public transportation. To ensure that the official travel or information Is not viewed or accessed inad vertently or willfully, the emp loyee mu st ensu re that it cannot be commuting to or from seen by persons not authorized access. Particular care shou ld be taken on a public conveyance or in waiting work? rooms where others may be sitting and standing In close proximity to where the Information is being used .

Individuals should hand carry protected Information during travel only if other means for transmitting the information, e.g., mailing ahead, secure information sharing, are not readi ly available or are operationa lly unacceptable. If hand carrying Is determined to be the best transport method, care must be exercised to ensure that the Information Is not compromised through loss or Inadvertent access.

https:/ldrupa l.nrc.gov/sunsi/34642 315

813/2020 Proprietary Information I NRC Intranet Information must be kept in the traveler's persona l possession to extent possible, and stored, appropriately wrapped as to reveal evidence of tampe ring, in hotel security facilities if possi ble .

Information must not be saved/stored on a persona lly owned computer. Work must be performed on an encrypted laptop co mputer or other encrypted mobile IT device authorized for use per MD 12.5 to preclude unauthorized access if t he laptop or device is lost or stolen .

The in formation should be returned to an NRC auth orized storage lo cation at the ea rliest possible opportuni ty an d/or destroyed appropriate ly as describe d In the " Destructio n" section below.

TOP PHYSICAL COPY TRANSMISSION May I transmit paper or Yes. Abide by the following requirements:

electronic media Inside the NRC (Including Regions): Informatio n may be-Including CD-ROM, disk Hand -carried to an individual authorized access to the informati on.

or tape?

Sen t via NRC's interoffice mall system. Transm it in a si ngle opaque envelope and address to an Indi vidu al autho rized access to th e Information.

Sent via NRC pouch se rvi ce between headquarters and the regions. Transmit In a single opaque envelope and address to an Individual aut horize d access to the Information.

Sent via approved com mercia l express carriers between headquarters and the region s (time-sensiti ve material only; use NRC Form 420). Transmit in a single opaque envelope and address to an Individual authorized access to the Information.

Outside tile NRC: Information may be transmitted by -

NRC M ess nger/N RC contractor mess nger.

U.S. Postal S rvlce: First Class M all, Registered M all, Express M all, Certi fl d M al l. Requ est tracki ng service If not lnclud d.

Hand ca rried by any Ind ividu al authorized access to the information. That individu al shall retain th e Information In his or her possession unl ess th y place the document In the custody of anoth r p rson authorized access.

App roved com mercia l exp ress carriers (time-sensiti ve material only; use NRC Form 420). Transmit In single opaque envelope and address to an Individual auth orized access to th e Informatio n. Reque st trac king service where available.

Other means ap proved by OCIO and the Directo r, Division of Faci lities and Secu rity, ADM .

Incoming to the NRC:

Electronic submissions, Including CD-RO Ms, submitted to the NRC should follow t he E-Ru le "G uidance for Electronic Submission to the Agency," availa ble on NRC's exte rnal Web site at: (R~ ~e~~~c.e ..M.~terla_l~_for Electronic Submission s Cl> ).

Encryption:

All electronic media (CD-ROM, disk, tape, hard drives, thu mb drives, etc. ) must be encrypted In accordance with M D 12.5.

lOP ELECTRONIC COPY TRANSMISSION May I transmit the Yes. Abide by the follow ing requireme nts:

document electronically Inside the NRC (Including Regions): Informatio n may be e-mai led or faxed.

by e-mail or fax?

Outside the NRC:

All electronic transmissions (e.g., e-mail, fax) outside the NRC must be encrypted in accordance with ~.I?..

12.5.

To an authorized user who has a need-to-know the Informatio n.

https:/ldrupa l.nrc.gov/sunsl/34642 4/5

8/3/2020 Proprietary Information I NRC Intranet FAX: May use non-secure facilities where it is confirmed that a recipient that Is authorized to access the information will be present to receive the information.

E-MAIL: Please fol low the guidance outlined in the Office of the Chief Information Officer issued announcement dated August 9, 2017 .

Use of portals that encrypt the information during transmission, such as " BOX" are highly encouraged.

Electronic files must contai n appropriate markings.

IOI STORAGE Inside the NRC (Headquarters and Regiona l Offices): Store in locking or In non-locking container within areas where th ere Is supplemental security including electronic access controls (keycard) and/or guards on duty. If management determines additional protection is needed, the information shou ld be stored In key locked fi le cabinets or equivalent storage containers.

Outside the NRC (Resident Inspector sites): Store In key locked desks or other key locked containers.

On NRC lectronlc Systems: May be stored on NRC encrypted computer systems that are authorized to operate under ~D...1,,2,5.

...... r ....,

DESTRUCTION Official Record Version:

Destroy In accordance with "NRC Comprehensive Records Disposition Schedu le" (NUREG-0910) .

Non-official Record Coples:

Destroy copies other than the official re cord version by any means that pr vents reconstruction In whol or part, Including th e following methods:

Using an ADM/DFS approved shredder that has been approved to destroy classified Information, Safeguards Information, SUNSI, and Controlled Unclassified Information.

Pl ce In Sensitive Unclassified Waste Disposal Containers.

Tear Into one -half Inch pieces (In all dimensions) or smaller and dispose of In the trash.

Burning, pulping, pulverizing, or chemical decomposition.

Electronic Data:

Use NRC authorized destruction methods in accordance with ,M 91..2,:S:

DECONTROL AUTHORITY Office primarily responsible for the Information.

Information submitted under 10 CFR 2.390 must undergo an acceptance review prior to formal acceptance as Proprietary Information .

Under 10 CFR Part 9, NRC must notify the submitter prior to de-controlling.

A TOP https://drupa l.nrc.gov/sunsl/34642 5/5

8/3/2020 Critical Electric Infrastructu re Information (CEIi) I NRC Intranet You are here: H~me >> Offices >> SUNS I ;, Critical Elect ric Infrastructure Information (CEIi }

ADAI Critical Electric Infrastructure Information (CEIi)

CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc. ov 19 Table of Content s

• Authority to,Designate

• Cover.Sheet

• L,Js~. -v,'/~,IJ.~ !,f~~el!.~~ ?.r. ~9.rnm_~ti.,~&

• Access

• Re reduction

• Physical Coe. Transmission

• )'J~ed.:to-K~o"."' ~?11,tro_l.~

• Proce.~sl~S pn ,El~~t ron,,!~ Sy~t~ms

• El . c.!ro,_nlc ~?PY Tr,~ nsml~s.lo,n

• Marking

• Use at Home

• Storage Destruction, ... """"'"~,..

• Decontrol Authorlt

• ~~S.~.lr. i:ne.11.ts fo..r..f .on..~r.~.~-to!s AUTHORITY TO DESIGNATE ONLY th e Federal Energy Regulatory Commission (FERC) has the authority to designate Information as CEIi.

Agencies are encourag d by FERC to label Information believed to be CEIi.

0 ACCESS Who may have access? Restricted to those that have a need-to-know the Information to perform th eir NRC work.

Need-to*Know Controls Do Need-to-know Need-to-know controls must be applied to the Information.

controls apply?

Recommend the establishment of pre-designated user groups th at exclude administrative an d other selected Offices without an obvious mission need from access. Add itional ly, recommend co nsi dering wh ether ADAMS document processing contract personne l should have access .

....... TCP ..

MARKING What documents should Mark all pages of all documents, A recommen ded practice Is that paragraphs containing CE I I should be be marked? marked .

This CEIi marking should be applied to NRC information t hat Is:

Security-related information associated with critical Infrastructure; or https://drupa l.nrc.gov/sunsl/34638 1/5

813/2020 Critical Electric Infrastructure Information (CEIi) I NRC Intranet Information associated with critica l infrastructure that could reasonably be expected to endanger the life or physical safety of any individual, if relea sed (typicalJly information that qualifies for withholding under FOIA exemption 7F)

NRC Information that shou ld be labeled and handle.d as containing CEIi inciudes not on ly on site Information but also information related to critical infrast ructure offsite from the nuclea r power plant, such as hydroelectric dams, gas pipelines, and the electric grid.

• • • -TOP ,

Who may authorize FERC has authority to formally designate information as CE Ii.

document marking? NRC Information should be labeled as con tain ing CEIi if:

FERC has f,ormally designated the NRC Information as CEIi; or Staff believes that the NRC Information may be CEIi even before a formal FE RC designation of that information as CEI i How should a document NRC Information associated with critica l Infrastruct ure (e.g., nuclear power plants, dams, electri c grid, etc. )

be marked? that is potentially CEIi and NRC Information th at has formally been designated by FERC as CEIi are to have the same marking: "CEIi - DO NOT RELEASE" All other applicable sensitive Information labeling (e.g., Securi ty Related Information ) should be retained.

This CEIi marking should be applied to NRC informati on that is:

Security-related Information associated with criti ca l Infrastructure; or Inform ation associated with critica l Infrastructure that cou ld reasonably be expected to endang r the life or physicals fety of any individual, if released (typicallly inform ation that qualifies for withholding under FOIA exemption 7F)

NRC Information that should be labeled and handled as conta ining CEIi inciudes not on ly on site information but also Information related to critical Infrastructu re offslte from the nuclear power plant, such as hydroelectric dams, gas pipelines, and th e electric grid .

NRC may also r celve CEIi from other agencl s or external parties that already contain CEIi ma rkings, such as:

CUI//CE II CEIi - DO NOT RELEASE Contains Critical Electric Infrastructure Informatio n - DO NOT RELEASE NRC staff does not need to add any additional CEIi markings to Information NRC receives from other agencies or external parties that already contain CEIi markin gs.

OJ When Is portion or page Portion marking Is not req uired, but a recommended practice Is that paragraphs contai ning CEIi shou ld be marking required? marked .

COVERSHEET When should a cover A cover sheet is not required sheet be used?

TOP What cover sheet is Not applicabl e.

used?

... _ TCP https:/ldrupa l.nrc. gov/sunsi/34638 215

8/3/2020 Critical Electric Infrastructure Information (CEIi) I NRC Intranet REPRODUCTION How many copies may be Should only make as many copies as are absolutely required to perform government mission.

made?

Printing from home location allowed using local (non-networked) printer.

fCJP PROCESSING ON ELECTRONIC SYSTEMS On what Information 2-factor user authenticatio n Is requ ired to ga in access to this Inform ation systems may the document be processed?

,. ~ . 'CJ~-

Is encryption required Control s at the moderate sensitivity level are requi red.

while data Is at rest? CEIi on portable digital media must be encrypted in accordance with MD 12.S

,.,_ !Of_

USE AT HOME May I use the document Yes. Abid e by th e following requirements:

at home? Can proce s using a government furnished computer, with in th e NRC CITR IX application, or .approved BYOD devi ce container.

Must restrict access to the Information so that on ly those with a need-to-know can see the content and computers sslon Is locked wh en not In use.

Must obtain supervi sor ap proval to have printed copies at hom Printed copies access controlled so that only those with a need-to -know can see the con tent, and printed copi es are locked away wh en not In use.

Printed co pies must be destroyed using NRC approved Shredd er.

All Information must be encrypted In accordance with MD 12.5 TOJ May I use the Yes. Abide by the requirements listed under home use above.

information at home ,a, under the NRC Flexible Workplace Program?

USE WHILE TRAVELING OR COMMUTING May I use the Yes. Abide by the following requirements :

information while on Can process using a governmen t furnished computer, with in th e NRC CITR IX application, or approved BYOD official travel or device container.

commuting to or from work? Must restrict access to the Information so that only those with a need-to-know can see the ,content and comp uter Is locked wh en not In use.

Must obtain supervi sor approval to have printed copi es whil e traveling or comm uting.

Printed copies access controlled so that only those with a need-to -know can see the content, and printed copies are locked away when not in use.

Printed copies must be destroyed using NRC approved Shredder.

TOP https://drupa l.nrc.gov/sunsl/346 38 3/5

8/3/2020 Critical Electric Infrastructure Information (CEIi) I NRC Intranet PHYSICAL COPY TRANSMISSION May I transmit paper or Yes. Abide by the following requirements:

electronic media Inside the NRC (including Regions): Information may be -

Including CD-ROM, disk Hand-carried.

or tape?

Sent via NRC's Interoffice mall system.

Sen t via NRC pouch service between headquarters and the regions. Transmit in a single opaque envelope.

Sent via approved com mercia l express carriers between headquarters and the regions (time-sensiti ve material only; use NRC Form 420). Transmit In a single opaque envelope.

Outside the NRC: Information may be transmitted by -

NRC Mess nger/N RC contractor messenger U.S. Postal Service: signature required .

Hand-carried by any individual authorize d access to the Information. That individual shall retain th e Information in his or her possession to the maximum extent possible unless they place the document In the custody of another person with authorlied access.

Approved commercia l express carriers (time-sensitive material only; use NRC Form 420); Transmit In single opaque envelope.

Other means approved by the CIO and the Director, Division of Facilities and Security, ADM .

Encryption :

All electronic media (e.g., CD-Rom, disk, tape, hard drives, thumb drives, etc.) must be encrypted In accordance with MD 12.5 ELECTRONIC COPY TRANSMISSION May I transmit the Yes . Abide by the following requirements:

document electronically Electronic transmissions outside of the NRC network must be encrypted and only able to be unencrypted by by e-mail or fax? those Individ uals with the req uired access authorization and need-to-know.

STORAGE If the electronic copy is outside of NRC facilities, the Information must be encrypted In accordance with MD 12.5.

NRC provided mobile desktops automatically encrypt the contents of the hard drive .

Maa5360 containers used with personal mobile devices are encrypted Electronic access to the Information must be restricted to those Individua ls with the required access authorization and need-to-know.

Physical copies must be In a locked containe r when not In use fCl DESTRUCTION Use ADM/DFS approved sensitive information destruction methods.

!OP DECONTROL AUTHORITY https://drupa l.nrc.gov/sunsl/34638 4/5

8/3/2020 Critical Electric Infrastructu re Information (CEIi) I NRG Intranet FERC I TOP REQUIREMENTS FOR CONTRACTORS Ensu re co ntract clauses that include the following:

Restrict access to the information to those with an appropriate background check that have a need-to-kn ow the Information to perform t heir NRC work.

Require controls in accordance with MD 12.5.

Require information protection requ ireme nts Included here.

Requ ired unauthorized disclosure be reported w ith in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to the NRC contracting officer.

I TOP https://drupal .nrc.gov/sunsi/34638 5/5

8/3/2020 Export Controlled Information (ECI) I NRC Intranet You are here: H~me >> Offices >> SUNS I ;, Export Controlled Information {ECI)

ADAI Export Controlled Information (ECI)

CONTENT OWNER Page content maintained by: SUNSI.Resource@nrc. ov 19 Tabl e of Content s

• Authority to,Designate

• Storase * .P..~y~i~~l_,C_O.P..Y*.Transmlssion

• Access * ~~produ ction

• Electronic Co y Transmission

• ~ark.Ing * .use at .~or,:i~ * ,-Destruction

~ _,.

• Cover Sheet

• Use Whi le Travelln11 or Commutin~.

• Decontrol Authority_

• Need,_to ..Know contro ls

• Electronic Identification and Authentication Re ul re ments

• Electronic In formation Con tro ls

"' .......... _, __ ,,, ' ........ '_,, ....... _.,_,,.~... ...... ....... .

• ~~9.~irements for Contractors

• Unauthorized Disclosure Ree,o rtin~ Re ulrem nts AUTHORI TY TO DESIGNATE Statutory and regu latory authorities for export controlled Information (ECI) provide designation authority to agencies other than the U.S.

Nuclear Regu latory Commission (NRC). Qu stlons about ECI designations should be referred to the Office of the Chief Information Officer who wi ll coordinate with the U.S. Department of Energy (DOE), U.S. Department of Commerce (DOC), or U.S. Department of State (DOS) as necessa ry, Inform submitters that If they submit ECI to the NRC that, by law, may not be shared with foreign nationa ls, they must labe l It as such before suibmitting the Information because the NRC may otherwise, as part of its ordinary course of busine ss, provide Information It receives to other parties (e.g., contractors) that may employ foreign nationa ls.

TOP ACCESS Restrict access to U.S. citizens who have a need to know (NTK) the information to perfo rm their NRC work. ECI may not be provided to Individua ls who are not U.S. citizens, Including foreign assignees working In NRC's offices and contractors.

i 10 MARKING App ly t he proper marking to al l documents. and digital media designated by the applicant or licensee as containing ECI.

Mark documents "Export Controlled Information " at the top and bottom of every page.

Mark electronic media "Export Con t rolled Information."

https://drupa l.nrc.gov/sunsl/57002 1/4

8/3/2020 Export Controlled Information (ECI) I NRC Intranet TOP-COVERSHEET Use a cover sheet marked "Contains Export Controlled Information."

STORAGE Adopt a "clean desk" strategy for ECI when it's not attended .

Hard Copies : Lock your computer and putting hard copies out of sight (e.g., in a desk drawer, cabinet, or ca rrying case ). Consider ECI to be unattended any time you are not In the sa m e cu bicl e or office as the ECI.

Electronic M edia: Sto re "a udit" di scs and other electronic media In an app roved safe or other secure location (such as th e records vault) unless It is In use. (Th DLSE sa fe is currently locate d In the Limited Access Computi ng room In OWFN -2Al).

re REPRODUCTION M ake on ly as many copies as absolut ly require d to perform th e Government's mission.

Printing Is on ly allowed on th NRC's network or oth r location approv d for processing ECI. Secure print should be used.

USE AT A REMOTE WORK LOCATION (I.e., outside of the NRC's office s)

Process the Information using a Government fu rnished com puter or w ithin th e NRC CITR IX ap pli cation or with an approved bring-your-own-device (BYOD) container.

Use only approved secured W IFI w ithin a secured BYOD device container or use an NRC issued air card.

Secure laptops that are not in use to prevent loss or access by unau tho rized Individuals.

Restrict access to t he Information so th at only those w ith NTK are able to see the content and lock t he computer screen when th e comp uter Is not In use. Secure computers that are be ing transported to prevent loss or access by unauthorized Individuals.

Obtain prior sup ervi sor approval to have printed copi es at home.

Control pri nted copies so th at on ly those w ith NTK see the content an d secu re printed copies in a locked co ntai ner wh en they are not in use or are unattended (e.g., a locki ng drawer w ithin an ap proved work area at home or a locking cabine t) .

Destroy printed copies and electronic media using a destruction method app roved by the Office of Administration, Division of Facilities and Security (ADM/DFS).

USE WHILE TRAVELI NG OR COMMUTING Require approval by DOE to take electroni c or hard copy ECI on travel to a foreign country in accordance with DOE Order 5S1.lC, "Official Foreign Travel. "

Proce ss information using a Government furnished computer within the NRC CITRIX application or an ap proved BYOD container.

Restrict access to the in formation so that only those with NTK are able to see the conten t and lock and password protect the computer sc ree n when the computer is not in use or is unattended.

Obtain prio r sup ervisor approval to have printed copies while traveli ng or commuting.

https://drupa i.nrc.gov/sunsl/57002 2/4

8/3/2020 Export Controlled Information (ECI) I NRC Intranet Control access to printed copies so that only tho se with NTK are able to see the content and secure printed copies In a locked container when they are not In use (e.g .. a locking drawer with a key(s) under positive control).

Destroy printed copies and electronic media using an ADM/DFS approved destruction method .

ror PHYSICAL COPY TRANSMISSION Inside the NRC (Including regional office space), Information may be -

hand carried sent through the NRC's interoffice mail system sent through the NRC's pouch service between Headquarters and the regions (i.e., transmit the information in a single opaque envelope) sent through approved commercial express carriers between Headquarters and the regions (for time-sensitive material only; use NRC Form 420 and transmit the Information In a slngl opaque envelope)

Outside the NRC, information may be trans.mltted by -

NRC messenger/NRC contractor messenger U.S. Postal Service (I.e., first class mal l, registered mall, express mall, or certified mall) hand carried by any Individual who has authorized access to the Information (that Individual shall retain th e information In his or her possession to the maximum extent possible unless he or she places the document In the custody of another person who has authorized access) approved commercial express carriers (time-sensitive materia l only; use NRC Form 420 and transmit the Information In a single opaque envelope) oth r means approved by the Chief Information Officer and AOM/DFS TOf ELECTRON IC COPY TRANSMISSION Encrypt electronic transmissions to or from e-mail addresses outside the NRC network such that they are only able to be unencrypted by those Individuals with the required access authorization and NTK. Encryption Is not required If the Information Is sent to and from an e mail address Inside the NRC network.

10 DESTRUCTION Destroy printed copies and electronic media using an ADM/DFS approved destruction method.

DECONTROL AUTHORITY Decontrol ECI in accord ance with the statutory or regulatory authority (e.g., DOE, DOC, DOS, or other re levant Federal entity) under which the Information was determined to be ECI.

10 NEED TO KNOW CONTROLS App ly "most limited access" controls to the Information, Including the establishment of predesignated electronic user groups (e.g., on https://drupa l.nrc.gov/sunsl/57002 3/4

8/3/2020 Export Controlled Information (ECI) I NRC Intranet network shared drives or in ADAMS) that exclude admin istrative and other selected offices without a mission need.

I TOP ELECTRONIC IDENTIFICATION ANO AUTHENTICATION REQUIREMENTS Use two-factor user authentication to gain access to this Information.

ror ELECTRONIC INFORMATION CONTROLS Use controls at the moderate sensitivity level in accord ance with the requirements of the Federal Information Security Modern izati on Act of 2014.

REQUIREMENTS FOR CONTROLS Ensure contractual documents provide proper export control requirements for work comi ng into the facility and work being outsourced from the facility that are equivalent NRC controls. To handle this, use the cont ract clauses In Title 48 of the Code of Federal Regu lations (48 CFR) 925 .7102, "Contract Claus "; 48 CFR 952.225-71, "Compliance with Export Control Laws and Regulations (Export Clause)" ; 48 CF R 970.25713 1 "Con tract Clause"; and 48 CFR 970.5225-1, "Compliance with Export Control Laws and Regulations (Export Clause)," or as approved by AD M/DFS as applicable.

Update NRC Form 187, "Contract S cu rlty and/or Classifi catio n Requirements," for con tracting offic r r presentatives (CORs) to Identify requirements for an y contract that involves the hand ling or use of ECI, Including the NTK restriction and the U.S. citize nship requirement.

Update the statement of work template to Include the NTK restrictions an d U.S. citizenshi p requirement.

Ensu re the Inclusion of contra ct clauses that do the following:

Restrict access to the Information to U.S. citizens who have NTK for the ln (ormation to perform their NRC work.

R qulr unauthorized dlsclosur be r ported within l hour to the NRC contracting officer. The contracting of-fie r would Immediately report th e unauthorized disclosure to the COR, Computer Security Incide nt Response Team (CSI RT), and ADM/DFS.

TOP UNAUTHORIZED DISCLOSURE REPORTING REQUIREMENTS Report unauthorized disclosure to the Office of the Chief Information Officer and CSIRT within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of Its discovery.

fol*

https://drupa l.nrc.gov/sunsl/57002 4/4

8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRC Intranet You are here: H~me >> Offices >> SUNSI ;, Federal *, Stc1te*, Foreign Gov~rnment-, and Internationa l Agency-Controlled Information ADAI Federal-, State-, Foreign Government-, and International Agency-Controlled Information CONTENT OWNER Page conten t maintained by: ~.~!'JJ .!: ~.esource@nrc. gy_ . ~

Table of Content s

• ~pe,l_i~~bl~. .l?.C?E.l:!.n.:1. C..~~. .~~.~~g<?,.r.i~.~ * .t:J.1.~.rklr.ig * ...............

Use at .... Home

..-. ~-~-

• Authority to Designate

• Cover Sheet

• Use Wh ile Traveling or Commuting_

• Access

• _Re,p,rod!:!,~tiqr.i.

• Physical C~py 1.:r~_ns.~ lsslo~

• Nee d-to-Know Controls

• Processln on Electronic S stems

• Electronic Co Transmission

• Storage

• Destruction

• C?~.~.~r.i.\.r.o.I ~':l.t~C?.ri.!y APPLICABLE DOCUMENT CATEGORIES Information not to be released to foreign nationals without the permission of the author or originating agency (NOFORN, Export Controlled Information (DOE))

Not For Public Disclosure Under Terms of the Joint Convention on the Safct or S..~.':1-tf.~.!l.! M~D.~eement and th~..S.~.f.!:Y . C:?rn.f.l.ci..J.?..~.£~Y.~ vy~~\~.

Management, ~ .

Law Enforcement Sensitive (Federal & State Law Enforcement Agencies)

For Official Use On ly (FOUO) - Department of Defense (DOD)

Officia l Use Only (OUO) - Department or Energy (DO E)

Unclassified Controlled Nuclear Information (UCNI) - DOE Naval Nuclear Propulsion Information (NNPI) - DOE S nsltiv but UnclasslA d (SBU) - Department of State (DOS)

Government-Controlled Information Foreign Government-Controll ed Information State Agency-Controlled Information 6 TOP AUTHORITY TO DESIGNATE Originati ng Federa l, State, Foreign Government or International Agency.

TO https://drupa l.nrc.gov/sunsl/34639 1/6

8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRC Intranet ACCESS Who may have access? NRC employees and contractors who have a need-to-know the information for the conduct of officia l bus iness.

___ .,TOP.

NEED-TO-KNOW CONTROLS Do Need-to-know controls apply? o Need -to-know controls must be applied to the Information.

o Recommend the establishment of pre-designated user groups that exclude administrative, other se lect Offices and/or groups that do no*t have an obvious mission need from access.

MARKING What docu ment s shou ld be R ly on marking of submitti ng organization , If the su bmitting organization's marking Is not sufficient marked? to Indicate the document's sensitivity, contact the organization to clarify the document markings.

Who may auth orize document Submitting organization.

marking?

Ho w should a docum ent be R ly on marking of submitti ng organization. If th su bmitting organization's marking Is not sufffcl nt marked? to Indicate the document's sensitivity, contact the organization to clarify the document markings. If additional marking Is de eme d necessa ry, mark the top and bottom of each page as Illustrated In the following exa mpl es:

'For Official Use Only - State-Agency Controll ed Information - St at e of Iowa'

'For Official Use Only - Sensitive But Uncl assifi ed (SBU) - DOS' When is portion or page m arking Not required; however If an unmarked document containing sensitive Information is received, re quired? containing Federal -, State-, Foreign Governm nt-, and International Agency-Controlled Information, the document shou ld be marked to alert users of the sensitivity of the information that is contained w ithin, and the originating agency shou ld be contacted to alert them of the discrepancy.

COV ER SHEET When should a cover sheet be Not required . If other agency marking is not sufficient to indicate the document's sensitivity, contact used ? the originating agency to clarify the document markings.

Note: Use of the green "Officia l Use Only" cover sheet has been discontinued and must not be used.

What cover sheet is use d? Not app licable.

Note: Use of the green "Officia l Use Only" cover sheet has been discontinued and must not be used.

10, REPRODU CTION How many copies may be made? Reproduction limited to number of copies needed for officia l use unless restriction is placed on document by submitting organization ,

Copies must clearly show the original ma rkings.

https://drupa l.nrc.gov/sunsl/34639 2/6

813/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Informa tion I NRC Intranet Note: Where restrictions are imposed on reprod uction, the employee must also ensure that there are no non-authorized copies residing in electronic systems, such as on the network drive, loca l hard drive, or remova ble storage media.

TQfl PROCESSING ON ELECTRONIC SYSTEMS On what Information systems NRC LAN and other syste ms authorized to operate by the NRC under MD __12.5, " NRC Cyber Security may the document be processed? Program."

Is encryption required while data 0MB has directed that all sensitive information be encrypted using only NIST-certified cryptograph ic is at rest? modules both at rest and during transmission. NRC au tomatically encrypts data at rest and during transmission within NRC faci lities. Any SUNS! that Is outside of NRC facilities must be encrypted at rest.

May the Information be Most applicab le document categories listed for this group may be entered Into the ADAMS Main processed In ADAMS? Library and must be profiled as Non-Publicly Avai lab le and Sensitive. Assign access rights to user groups with a need to access the Information to perform their official duties. ADAMS Sensitivity Code : A.6- Sensitive-Fed, State, Foreign Government Controlled Information - No Periodic Review R quired .

The following document categories may not be entered Into ADAMS :

NOFORN Nava l Nuclear Propulsion Information (NNPI)

Law Enforcement Sensitive IOI' USE AT HOME M ay I use th document at hom e? Yes. Abide by the following requlrem nts:

Employees, contractors, and consulta nts are prohibited from routinely using, handling, and storing the Information at th eir residences and on personall y owned devices or sending Information to non -

NRC ema il addresses (e.g., personal email accou nts).

Occasional use at an employee's residence requires approva l of the employee's Immediate supervisor or above.

To ensu re that th e Information Is not viewed or accessed Inadverten tly or willfully by a person not authorized access, the employee must ensure that the information cannot be seen by any Individual who Is not authorized access.

Employees who work at home must perform electronic processing of SUNS! on either (1) a home computer with in the virtual environment provided by the agency through CITRIX, (2) an NRC-issued laptop with NRC-a pproved encryption software, or (3) using an NRC authorized so lution such as BYOD.

Employees are expressly prohibited from processing SUNSI on personally owned computers eve n when an encrypted storage media is employed.

It is discouraged to take hard-copy material to private residences . If hard copy material is taken home, it must be returned to an NRC facility and stored and/or destroyed according to the inst ructions provided in this guidance. Note: hard -copy of NOFORN, NNPI, and Law Enforcement Sensitive Information are not allowed to be taken home unless specifically approved by the Individual's su pervisor or the contractor's COR.

May I use the Information at Yes. Abide by the fol lowing requirements :

home under the NRC Flexible Workplace Program?

https:/ldrupa l.nrc.gov/sunsi/34639 316

8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRC Intranet Employees are prohibited from using, handling, and storing the information at their residences and on persona lly owned devices.

If you are approved to work at home under the NRC Flexible Workplace Program, use in accordance with stan dards set forth in NRC Form 624, Flexible Workplace Program Participation Agreement.

To ensu re that the information Is not viewed or accessed inadvertently or willfully by a person not authorized access, the employee must ensure that the information ca nnot be viewed by any other Individua l who is not authorized access.

Employees are prohibited from processing SUNSI on personally owned computers unless connected to and working within CITRIX, the NRC Broadband Remote Access System. Employees are prohibited from downloading or storing SU NSI to the hard drive of a personally owned computer when connected to and working within CITRIX. Employees are also expressly prohibited from processing SUNSI on personally owned computers even when an encrypted storage media Is employed.

Employees who wo rk at home must perform electronic processing of SUNSI on either (1) a home co mputer with in the virtual environment provided by the agency through CITRIX, (2) an NRC-issued laptop with NRC-approved encryption software, or (3 ) using an NRC authorized solution such as BYOD.

USE WHILE TRAVELING OR COMMUTING M ay I use the Information while Yes. Abide by the fol lowing requirements:

on official travel or commuting to Use of the Information Is discouraged wh "e traveling on public transportation. To ensure that the or from work? Information Is not viewed or accessed Inadvertently or willfully, the employee must ensure that it cannot be seen by persons not authorized access. Particu lar care should be taken on a public conveya nce or In waiting rooms wh ere others may be sitting and standing In close proximity to where the Information Is being used.

llndlvldua ls should hand carry protect d Information during trav I only If other means for transmitting the Information, (e.g., malling ahead, secure Information sharing). are not readily available or are operationally unacceptable. If hand carry ing Is determined to be the best tra nsport method, care must be exercised to ensure that the Information Is not compromised through loss or Inadvertent access.

Information must be kept In the traveler's personal possession to extent possible, and stored, appropriately wrapped as tor vea l vldence of tamp ring, In hot I s curlty facilities If po sslbl Information must not b sav d/stored on a personally own d computer. Work mu t be perform d on an encrypted laptop computer or other encrypted mobi le IT device authorized for use per M_!?,

]1:~* to preclude unauthorized access If the laptop or device Is lost or stolen.

The Information should be returned to an NRC authorized storage location at the earliest possible opportunity.

IOP PHYSICAL COPY TRANSMISSION May I transmit paper or electronic Yes. Abide by the fol lowing requirements :

media Including CD-ROM, disk or Inside the NRC (including Regions): Information may be -

tape?

Hand-carried.

Sent via NRC's interoffice mall system.

Sent via NRC pouch service betwe en headquarters and the regions. Transmit in a single opaque envelope.

Sent via approved commercial express ca rriers between hea dquarters and the regions (tim e*

sensitive material only; use NRC Form 420). Transmit in a single opaque envelope.

https://drupa l.nrc.gov/sunsl/34639 4/6

8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRC Intranet Outside the NRC: Information may be transmitted by -

NRC M essenger/ NRC contractor messenger.

U.S. Postal Service : First Class M all, Regist ere d Mail, Express Mail, Certified Mal l. Requ est tracking service where avai lable.

Hand -carried by any Individual authorized access to the information. That individual shall retain the Information In his or her possessio n where poss ible unless they place the document In the custody of another person authorized access.

Approved commercial express carriers (time-se nsitive material only; use NRC Form 420); Transmit in si ngle opaque enve lope. Request tracki ng service where available.

Other means approved by OIS and the Directo r, Division of Facilities and Security, AD M .

Incoming to the NRC: Electronic submissi ons, including CD-ROMs, submitted to the NRC should follow the E-Rule "G uidance for Electron ic Su bm ission to th e Agency, " avail able on NRC's extern al Web site at: (b.!!e.:!/www.nrc. ov/site-hel . /electronic-sub-ref-mat.htm l).

Encryption:

All electron ic m dla (CD-Rom, disk, tape, hard drives, thumb drives, etc.) must be e ncrypted In accordance with MD 12.5.

10P ELECTRONI C COPY TRANSMISSION M ay I transm it t he document Yes, unless restricted by th e submitting agency. Abide by the foll owing requirements:

electron ically by e-mail or fa x? Inside the NRC (Incl uding Regions):

Information may be e-mailed or faxed.

When transmitting Information follow th e requlr m nts speclfl d by th F d ral, St t , Foreign Government, or International age ncy.

Outside t he NRC: Electron ic transmissions (e.g., e-mail, fax) outside the NRC must be encrypted in accordance with MD 12.S.

Fax: M ay use non-secure facilltfcs where It Is confi rm ed that a reci pient who Is authorized to ace ss the Information wi ll be present to receive t he Information.

E-mail : Pl ease follow the gui dance out lined In the Office of the Chief Information Offic er announcement dated Auaust 9, 2017.

Use of portals that encrypt the information during transmissi on, suc h as "B OX" are highly encourage d.

Electronic files must contain ppropri ate m arkings.

TO STORAGE Unless originating agency provides specific storage requirements, abide by th e following requirements:

Inside th e NRC (Headquarters and Regional Offices): Store in non-locking or locki ng container at t he end of each business day or when not In us.e.

Outside the NRC (Resident In spector Sites): Store In key locked desks or other key locked containers .

On NRC Electronic Systems: May be stored on NRC encrypted computer syste ms that are authorized to operate under MD. 12.S.

10 DESTRUCTION Unless originating agency provides specific destruction guidance, abide by th e following requ irements:

Official Record Version: Destroy In accordance with NRC Compre hensive Records Disposition Schedule (NUREG -0910) .

Non-official Record Coples: De stroy as Ind icated be low:

https://drupa l.nrc.gov/sunsi/34639 5/6

8/3/2020 Federal-, State-, Foreign Government-, and International Agency-Controlled Information I NRG Intranet Using an ADM/DFS approved shredder that has been approved to destroy Classified Information, Safeguards Information, SUNSI, and Controlled Unclassified Information (CUI).

Place in a Sensitive Unclassified Waste Disposal Container.

Tear into one-half inch pieces or sma ll er (in all dimensions) and dispose of in a waste receptacle .

Burning, pulping, pulverizing, or chemical decomposition .

Electronic Data: Use NRC authorized destruction methods in accordance with M D 12.5.

TOP DECONTROL AUTHORITY Norm ally decision will be referred to the originating entity. Originating office or office primarily respon sible for the information will co nsult with originating entity.

• ..... TOP, https://drupal .nrc.gov/sunsi/34639 6/6

8/3/2020 Investigation Information I NRC Intranet You are here: H~me >> Offices >> SUNSI ;, Investigation Information ADAI Investigation Information CONTENT OWNER Page conten t maintained by: SUNSI.Resource@nrc. ov 19 Table of Contents

• ~pe,l_

i~~bl~. .'?.C?E.l:!.n.:1. C..~~---~~-~~g<?,_

r_

i~.~ * .t:J.1.~.rkir.ig * ...............

Use at .... Home

..-. ~-~-

• Authority to Designate

• Cover Sheet

• Use Wh ile Traveling or Commuting_

• Access

• _Re,p_rod!:!,~tiqr.i,

• Physical C~py 1.:r~_ns.~lsslo~

• Nee d-to-Know Controls

• Processln on Electronic S stems

• Electronic Co Transmission

• Storage

• Destruction

• q~-~-~r.1.\,r,o,I ~':l.t~C?.ri,!y APPLICABLE DOCUM ENT CAT EG ORIES Any Office of Investigations (0 1) or Office of the Inspector General (OIG) Investigation-related documents.

AUTHORITY TO DESIGNATE 0 1: The Office Director (OD), Deputy Office Director (DOD), and Special Agents In Charge (SAIC's),

OIG : Th e Inspector General (IG), Deputy Inspector General (D IG), Assistant Inspecto r G neral for Investigations (AIGI), and Senior Level Assistant for Investigative Operations (SLAIO) ,

ACCESS Who may have access? Personnel authorized by the designated authorities Identified under Authority to Designate, above.

!Cf NEED-TO-KNOW CONTROLS Do Need -to-know o Need-to-know controls must be applied to the Information.

controls apply?

o Recomm end the establishment of pre-designated user groups that exclude administrative and other selected Offices without an obvious mission need from access.

TOP https://drupa l.nrc.gov/sunsl/34640 1/5

8/3/2020 Investigation Information I NRC Intranet MARKING What documents should All documents shall be marked.

be marked?

Who may authorize 01 : The Office Director (OD), Deputy Office Directo r (DOD), and Special Agents In Charge (SAIC's).

document marking? OIG : The Inspector Genera l (IG), Deputy Inspector General (DIG), Assistan t Inspector General for Investigations {AIG I), and Senior Level Assistant for Investigative Operations (SLAIO).

How should a document Header and footer markings specific to either 01 or OI G on each page co ntaining Investigation Information.

be marked? Examples:

o "Official Use Only - O1 Investigation Information" o " Official Use Only - OIG Investigation Information" When Is portion or page Mark each page of -

marking required? o Any Repo rt of Investigation o Any oth er designated Investigation-related docume nt.

Portion marking Is not requi red sin ce entire page must be marked .

.... OP.,

COVERSHEET When should a cover On all Reports of Investigation for both 01 and OIG, and any other designated Investigation- related sheet be used? docum ents.

What cover sheet Is Investigation Information Cover Sheet used?

REPRODUCTION How many copies may be 01 : Distribution of 01 Reports of Investigation (ROI) is determ ined and authorized by th e SAIC. Any further made? di ssem ination must be authorized by t he app ro ving official of the ROI , the SAIC, or as autho rized by the Des ignatio n Authority.

OIG : As authorized by Designation Authority; o The Inspecto r General (IG),

o Deputy Inspector General (DIG),

o Assistant Inspector General for Investigations (AIGI), and o Senior Level Ass istan t for Investigative Operation s (SLAIO) .

TOP PROCESSING ON ELECTRON IC SYSTEMS On what information 01 : NRC LAN and other systems authorized to operate by the NRC und er MD.12.5, " NRC Cybersecurity systems may the Program."

document be processed? OIG : Non e.

Is encryption required 0MB has d irected that all sensitive Information be encrypted using only NIST-certified cryptographic while data Is at rest? modules both at rest and during transmission. NRC automatical ly encrypts data at rest and during https://drupa l.nrc.gov/sunsi/34640 2/5

813/2020 Investigation Information I NRC Intranet transmission with in NRC facilities. Any SUNSI that Is outside of NRC facilities must be encrypted at rest.

May the information be No, for both OI and OIG Investigation Information . ADAMS Sensitivity Code : Not Applicable processed In ADAMS?

!OP USE AT HOME May I use the document No, for OIG Investigation Information.

at home? For QI Investigation Information :

1) Ql.personnel must have t he Director of Ol's approval to use Investigation In formation at home.

2) Other NRC staff mu st comply w ith the following :

o 01 has Implemented a procedure to facilitate th e limited use of Investigation Inform ation by other NRC st aff o u ts id e of NRC-contro ll ed space . The procedure req uires Office Directors and Regional Administrators to determine it ap propriate and necessary for their staff to use Investigation Information outside of NRC-controlled space t o complete high priority w ork projects. Office Directors and Regiona l Administrators mu st th en m ake a req uest for such lim ited use via m emorandum to the Director of 01 . The Director of 01 w ill au thorize req uesting NRC staff to remove t he Investigation Information from NRC-co ntrol led space on a case-by-case basis . This agreement will Include speci fi c handling requirements and procedures for Investigation Information under the contro l of t he NRC sta ff members.

o To ensu re that the in formation Is not viewed or accessed Inadverten tly or wi llful ly by a person not authorized access, the employee must ensu re that the Information ca nnot be seen by a famil y m ember, guest, o r any other Individual who Is not authorized access .

o Em ployees are prohibited from using, handling, an d sto rin g Investigation Information at their residences and on p rsona lly owned devices ors ndlng Information to non-NRC em ail addr sses (e.g., personal email accou nts). Electron ic work from home must use an NRC computer or an NRC authorized ca pabili ty, such as CITR IX.

TCP May I use the No, for OIG Investigation Information.

Information at home For QI Investigation Information :

under the NRC Flexible

1) 0 1pers,onnel must have t he Director of Ol's approval t o use Investigatio n Inform ation at home.

Workplace Program?

2) Other NRC st aff mu st comply w ith t he following :

o 0 1has Implemented a procedure to facilitate the limite d use of Investigation Inform ation by other NRC st aff o u tside of NRC-contro ll ed space . The procedure requires Office Directors and Regional Admini:strators to determine it appropriate and necessary for their st aff to use Investigation Inform ati on o utside of NRC-contro lled space to complete high prio ri ty work projects. Office Directors and Regiona l Administrators mu st then m ake a req uest for such limi ted use via m emorandum to th e Director of 01. The Director of 01 will authorize requ esti ng NRC staff to remove the Investigation Information from NRC-con troll ed space on a case -by-case basis . This agreemen t will Include speci fi c handling requ irements and procedu res for Investigation Information under t he control of the NRC staff members.

o To ensu re th at the Investigatio n Information Is not view ed or accessed Inadvertently or willfully by a person not authorize d access, th e employee must ensure that the Investigation Information cannot be seen by a family member, guest, or any other Individual who Is not aut horized access.

o Employees are prohibited from pro cess in g SUNSI on personally owned computers unless connected to and working within CITRIX, t he NRC Broadband Remote Access System. Employees are prohibited from downlo ading or storing SU NSI to th e hard driv e of a home computer wh en connected to and wo rking w ithin CITRIX. Employees are also prohibited ex pressly fro m processi ng SUNSI on ho me computers even when an encrypted storage m edia is employed.

https:/ldrupa l.nrc.gov/sunsi/34640 315

8/3/2020 Investigation Information I NRC Intranet o Employees who work at home must perform electronic processing of SUNSI on either (1) a home comput er with in t he virtual enviro nment provided by the agency through CITRIX or (2) an NRC-issued laptop with NRC-a pproved encryption software.

TCP USE WHILE TRAVELING OR COM MUTING May I use the Yes, while on officia l travel w ith the proper secu rity for both 01 and OIG .

information while on Hand carry protected information taki ng care to en sure that the Investigation Information Is not official travel or compromised through loss or Inadvertent access .

commuting to or from Investigation Information must be kept In traveler's persona l possession to the exte nt possib le, and stored, work ?

appropriate ly wrapped, In hotel secu rity facilities If possib le.

Return Inv estigation Information to an NRC au thorized storage location at the earliest possible opportunity.

Inform ation must not be saved/stored on a persona lly owned computer or sent to non-NRC emai l addresses (e .g., pe rsona l email accounts) . Work must be performed on an encrypted laptop compute r or other encrypted mobi le IT device autho rized for use per M D.12.S to preclude unauthorized access If the laptop or device is lost or sto len .

IQP PHYSICAL COPY TRANSMISSION May I transmit paper or electronic media Inside th e NRC:

including CD-ROM , dis k or tape?

01 :

• Norm ally, hand ca rri ed.

• For In terna l mall, double-sealed " Addressee Only" nvelope.

• Betw en field offices and between a fi Id office and HQ, commercia l carrl r may be used.

OIG:

• Norma lly, hand -carried

• For interna l mall, double-sea led " Add ressee Only" envelope.

Outside the NRC:

01 :

• Norm ally, hand -carried, commercial carrier or registered mall.

OIG:

• Only hand-carried or register d mall.

Encryption:

All electronic media (CD-ROM , disk, tape, hard driv es, thumb drives, et c.) must be encrypted in accorda nce with MD 12.5.

ELECTRONIC COPY TRANSMISSION May I transmit the OIG Investigation Information :

document electronically o No, for OIG Investigati on Information.

by e-mail or fax?

01 Inve stigation Information:

https://drupa l.nrc.gov/sunsl/34640 4/5

8/3/2020 Investigation Information I NRC Intranet 0 OI Personnel and NRC staff must have the Director of Di's approval to transmit DI Investigation Information electronically by email or fax . If approved. 01 Personnel and NRC staff are required to encrypt DI Investigation Information using FIPS 140-2 validated encryption modules operated in FIPS mode prior to sending it in accordance with Ma nagement Directive 12.5 "NRC Cybersecurity Program". Th is information should only be shared with individuals with a need- to- know.

Electronic transmissions (e .g., e-mail, fax) out side the NRC must be encrypted in accordance with MD _1 2.5.

TOP STORAGE Inside NRC:

For both 01 and OIG: Investigation Information must be stored In safes, locked cabinets, or a limited access area protected by a card reader or other access control device .

Outside NRC:

OIG lnvestjgation lnformation: If taken outside th e NRC to another U. S. Government office, the information should be stored the sa me as Inside th e NRC, except as specifie d In "USE WHILE TRAVELING OR COMMUTING.

OI lnyestigation lnformation: If taken outside the NRC to use at home, paper-based records should be transported in portfolios, briefcases, or sim ilar devices that are locked wh en th e records are not In use. These containers should be Id entifiable by tag, label or decal with NRC contact and malling Information. Follow th e Instructions speci fi ed above for "USE WHILE TRAVELING OR COMMUTING.

On NRC Electronic Systems: Encrypted and password protected access for both 01 and OIG Investigation Information.

TOI DESTRUCTION For OIG, follow OIG guidance in accordance with NUREG-0910, "NRC Comprehensive Records Disposition Schedule. "

For 01 :

o Use an ADM/DFS approved shredder that Is approved to destroy classified Information, Sa feguards Information, SUNSI, and ControlI d Unclassified Information.

o Place In Sensitive Unclassi fied Waste Disposal Containers.

o ELECTRONIC DATA: Use NRC authorized destru ction methods in accordance with MD 12.5 or return to 01.

Tor DECONTROL AUTHORITY 01 : The Office Di rector (OD), Deputy Office Director (DOD), and Special Agents In Charge (SAIC's).

OIG : Th e Inspector General (IG), Deputy Inspector General (DIG), Assistant Inspector General for Investigations (AIG I), and Senior Level Assistant for Investigative Operations (SLAIO) .

TOP https://drupa l.nrc.gov/sunsl/34640 5/5

UNITED STATES NUCLEAR REGULATORY COMMISSION Yellow Announcement: YA-16-0052 Date: May 23 , 2016 Expiration Date: July 1, 2019 TO: All NRC Employees

SUBJECT:

CHANGE TO NEED-TO-KNOW DEFINITION The purpose of this Yellow Announcement is to update the "need-to-know" definition in Management Directive (MD) 12.0, "Glossary of Security Terms ." The revised definition of "need-to-know" is as follows :

Need-to-Know

1. A determination by a person having responsibility for protecting or holding the sensitive information, be it classified information, safeguards information, or sensitive unclassified information, that a proposed recipient's access to the sensitive information is necessary in the performance of an official and lawful requirement.

2. Knowledge, possession of, or access to, sensitive information including classified ,

safeguards, and/or sensitive unclassified information shall not be afforded to any individual solely by virtue of the individual's office, position , or security clearance.

Please note that MD 12.0 will be updated to include the revised definition. If you have any questions, please contact Denis Brady at (301) 415-5768 .

IRA/

Cynthia A. Carpenter, Director Office of Administration Management Directive

Reference:

MD 12.0, "Glossary of Security Terms ," Directive Section II ,

and MD 12.1 , "NRG Facility Security Program ," Handboolk Section IV.B

ML16111A432 OFFICE ADM/DFS/FSB ADM/DFS/FSB/BC ADM/DFS/DD NAME ARoundtree DBrady SSchoenmann DATE 04/20/2016 04/20/2016 05/17/2016 OFFICE ADM/DFS/D ADM/DD ADM/D NAME TPull iam SStewart CCarpenter DATE 05/17/2016 05/23/2016 05/23/2016