ML18145A145

From kanterella
Revision as of 01:58, 21 October 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
YA-18-0051: Critical Energy/Electrical Infrastructure Information Policy
ML18145A145
Person / Time
Issue date: 05/25/2018
From: David Nelson
NRC/OCIO
To:
Lyons-Burke K
References
Download: ML18145A145 (3)
v  d  e


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION Yellow Announcement: YA-18-0051 Date: May 25, 2018 Expiration Date: May 25, 2022 TO: All NRC Employees

SUBJECT:

CRITICAL ENERGY/ELECTRIC INFRASTRUCTURE INFORMATION POLICY The Fixing Americas Surface Transportation (FAST) Act created a statutory category of information called critical electric infrastructure information or CEII. The Federal Energy Regulatory Commission (FERC) was given the authority to designate as CEII both its own information and information of other agencies.

The FERC is the only entity that can formally designate information as CEII. However, the FERC has encouraged other Federal agencies to take all necessary steps to protect information that may be CEII. Certain information that the NRC handles associated with critical infrastructure (e.g., nuclear power plants, dams, electric grid) could qualify as CEII, so when you work with critical infrastructure information, consider whether or not it could potentially qualify as CEII. In the near term, you are expected to label and handle the following information as CEII:

1. Security-related information associated with critical infrastructure; or
2. Information associated with critical infrastructure that could reasonably be expected to endanger the life or physical safety of any individual, if released (typically information that qualifies under Freedom of Information Act (FOIA) exemption 7F).

Information that you should label and handle as CEII includes not only onsite critical infrastructure information but also information related to critical infrastructure offsite from the nuclear power plant (e.g., hydroelectric dams, gas pipelines, and the electric grid). The information should be labeled as CEII - DO NOT RELEASE. All other applicable sensitive information labeling (e.g., Security Related Information) should be retained.

Any information that is labeled as critical electric infrastructure information, including CEII, CEII - Do Not Release, Controlled Unclassified Information/CEII, or Contains Critical Energy Infrastructure Information - DO NOT RELEASE, must be protected in accordance with the controls defined on the Sensitive Unclassified Non-Safeguards Information (SUNSI) Web page (see the link to the CEII Web page). The SUNSI Web page has been updated to include CEII as a SUNSI group.

The FERC issued regulations in 18 CFR Parts 375 and 388 to implement the FAST Act. 18 CFR 388.13 provides the following definition of CEII:

(1) Critical electric infrastructure information means information related to critical electric infrastructure, or proposed critical electrical infrastructure, generated by or provided to the [FERC] or other Federal agency other than classified national security information, that is designated as [CEII] by the [FERC] . . . pursuant to [the FAST Act]. Such term includes information that qualifies as critical energy infrastructure information under the

[FERCs] regulations. [CEII] is exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. 552(b)(3) and shall not be made available by any Federal, State, political subdivision or tribal authority pursuant to any Federal, State, political subdivision or tribal law requiring public disclosure of information or records pursuant to

[the FAST Act].

(2) Critical energy infrastructure information means specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure that:

(i) Relates details about the production, generation, transportation, transmission, or distribution of energy; (ii) Could be useful to a person in planning an attack on critical infrastructure; (iii) Is exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C.

552; and (iv) Does not simply give the general location of the critical infrastructure.

Information designated as CEII is exempt from public disclosure under Exemption 3 of the FOIA. Withholding under this exemption is mandatory. In addition, this information requires specific protections. The NRC SUNSI Web page has been updated to reflect these requirements.

/RA/

David J. Nelson Chief Information Officer Management Directive

References:

1. MD 12.5, "NRC Cybersecurity Program," Directive Section III.E.1, Chief Information Officer
2. MD 12.6, NRC Sensitive Unclassified Information Security Program, Handbook Part I.D, Authority to Designate Sensitive Unclassified Information

Pkg.: ML18145A145

  • concur via e-mail OFFICE OCIO OGC OCIO NAME KLyons-Burke* GKim* - NLO DNelson DATE 05/25/2018 5/21/2018 05/25/2018
Retrieved from "https://kanterella.com/w/index.php?title=ML18145A145&oldid=1931918"