ML23019A372

From kanterella
Revision as of 14:13, 8 February 2023 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
January 10, 2023, CUI Meeting Slides
ML23019A372
Person / Time
Issue date: 01/31/2023
From: Jonathan Feibus, Tanya Mensah
Governance & Enterprise Management Services Division
To:
Mensah T
Shared Package
ML23024A180 List:
References
Download: ML23019A372 (15)


Text

U.S. Nuclear Regulatory Commission (NRC)

Controlled Unclassified Information (CUI)

Virtual Closed Meeting January 10, 2023 Jon Feibus, Director, Governance and Enterprise Management Services Division (GEMS)

Tanya Mensah, CUI Program Manager Office of the Chief Information Officer (OCIO)

US Nuclear Regulatory Commission (NRC)

Purpose

  • To provide an update on the NRCs schedule to transition to CUI on November 1, 2023.
  • To discuss the NRCs view only option in more detail and provide a live demonstration.
  • To obtain feedback from industry representatives regarding:
  • Use cases where the view only option is insufficient for licensees when handling CUI from the NRC.
  • Licensee efforts to complete the gap analysis for NIST SP 800-171, and any challenges.
  • Industry coordination with other federal agencies that expect to share CUI with NRC licensees.

Reminder: Please do not put questions in the chat.

You will have the opportunity to ask questions or comment at a designated time in the meeting.

2

NRCs Delayed Transition To CUI On August 2, 2022, OCIO informed NRC employees and contractors of the plans to delay the CUI implementation from September 20, 2022, until approximately the fall of 2023 (Goal: November 1, 2023).

The delay was needed to:

Permit additional time to establish formal CUI information-sharing agreements.

The draft NRC CUI information-sharing agreement was discussed during the March 28, 2022, and June 2, 2022, NRC CUI public meetings (ADAMS Accession No. ML22145A552).

Develop a process to track signed agreements to facilitate information-sharing needs.

Train staff on the view only alternative to minimize the burden on external stakeholders of meeting the requirements in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

NRC external stakeholders were informed of the new transition date shortly thereafter.

Updated NRC CUI public website & CUI FAQs: https://www.nrc.gov/reading-rm/cui.html 3

Estimated NRC CUI Timeline To Establish and Track Agreements RIS 2022-03 Agreement Sign Agreements Tracking Maintenance (OMB approval)

Issued a RIS to discuss Obtain OMB approval Provide the Store signed Update existing the NRCs plans to of a clearance number information-sharing agreements in an NRC agreements and transition to CUI and for the information- agreement to NRC repository (TBD) to establish new to establish CUI sharing agreement. stakeholders (i.e., support tracking. agreements, as information-sharing (Paperwork Reduction licensees, Agreement needed.

agreements with NRC Act) States, etc.) for digital stakeholders. signature.

August-September August-September December 8, 2022 August 2023 Ongoing 2023 (Ongoing) 2023 (Ongoing) 4

NIST SP 800-171

  • The CUI rule identifies National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as containing the security requirements for protecting CUI's confidentiality on non-Federal information systems.
  • If the non-executive branch entitys information systems process or store CUI, the CUI Rule requires agencies to prescribe National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, when establishing security requirements in written agreements to protect the CUIs confidentiality.
  • NIST SP 800-171 applies to non-executive branch entities that intend to process or store (e.g., download, forward, and print)

CUI they receive from an agency on a non-Federal information system.

5

Access Rights and Action Summary

  • The NRC is planning to use Microsoft Purview Information Protection (MPIP) when sharing CUI with licensees.
  • Exception: This approach does not apply to the NRCs dissemination of Safeguards Information or Safeguards Information - Modified Handling.
  • Access to email and attached document(s) is provided through Microsoft Office 365 Message Encryption.
  • Recipients will be required to provide a One-Time-Passcode (OTP) to access the email.

6

Access Rights and Action Summary (continued)

Once the email is open, recipients can interact with the email and document based on the following general access rights:

  • View-Only (Restricted)
  • View-Only is for recipients that do not meet NIST SP 800-171 requirements.
  • You can only read the document, but cannot edit, print, or copy content.
  • Read/Write (Unrestricted)
  • Read/Write is for recipients that meet NIST SP 800-171 requirements. At a minimum, recipients need to have their gap analysis and plan of action milestones in place.
  • You can read, edit, print, and copy content of the document.
  • In accordance with the terms in the NRCs information-sharing agreement, licensees must also meet the requirements for handling and storing hard copies of CUI.

7

Comparison of View Only Versus Read/Write Action View-Only (Restricted) Read/Write (Unrestricted)

Read Online1 Yes Yes Edit No Yes Print No Yes Copy No Yes Screen Capture/Sharing No Yes Save/Download Yes2 Yes Sharing/Read Offline1 Yes Yes 8

9 10 11 Live Demonstration of View Only 12

Discussion Topics (NRC & Industry Representatives)

  • Identify any use cases where the view only option is insufficient for licensees.
  • Identify any licensee efforts to complete the gap analysis and plan of action milestones for NIST SP 800-171, including estimated timeline and any challenges.
  • Discuss any industry efforts to coordinate with other federal agencies that expect to share CUI with NRC licensees.

13

Summary/Conclusion 1 2 3 4 Maintain Coordinate with OMB to Finalize any decisions Coordinate with NRC communications with obtain a clearance regarding a view only stakeholders who plan to NRC stakeholders number for the alternative to minimize meet NIST SP 800-171 so regarding the NRCs plans information-sharing the burden of NIST SP that they can download, to transition to CUI and agreement through the 800-171 on NRC print, and forward CUI following the transition Paperwork Reduction stakeholders. they receive from the to CUI. Act. NRC onto a non-Federal information system.

14

How Can You Obtain Additional Information?

  • NRC CUI Program Contact
  • Jon Feibus, NRC CUI Senior Agency Official
  • Email: CUI@nrc.gov
  • Policy & Guidance
  • CUI Program Update To Stakeholders Meeting